May 13, 2024 at 04:29PM
Cybercriminal “salfetka” is allegedly selling the source code of INC Ransom, a ransomware-as-a-service operation. The sale is announced on hacking forums, with a price tag of $300,000 and limitations on potential buyers. Additionally, INC Ransom is undergoing changes, possibly indicating a rift within its core team or plans for a new chapter involving a new encryptor. INC Ransom also announced the move to a new data leak extortion “blog,” with some overlap in victim lists and potential leadership changes or groups splitting. The new extortion page design resembles that of another RaaS operation, potentially indicating a connection. Private source code sales have the potential to create more trouble for organizations worldwide, especially if the Linux/ESXi version is involved. Reusing source code from old encryptors can also help ransomware gangs rebrand and obscure their trail for law enforcement and researchers.
Key takeaways from the meeting notes are:
1. A cybercriminal using the name “salfetka” is claiming to be selling the source code of INC Ransom, a ransomware-as-a-service (RaaS) operation.
2. The sale includes both the Windows and Linux/ESXi versions of INC for $300,000, and only three potential buyers are allowed.
3. The technical details mentioned in the forum post align with public analysis of INC Ransom samples, lending legitimacy to the sale.
4. “Salfetka” has been active on hacking forums since March 2024 and has been affiliated with the ransomware operation.
5. INC Ransom announced on its old leak site that it would move to a new data leak extortion “blog” and shared a new TOR address, suggesting a potential rift or change within the operation.
6. There are discrepancies between the old and new sites, with twelve new victims listed on the new site, suggesting a change within the operation.
7. The new extortion site design visually resembles that of Hunters International, indicating a potential connection with another RaaS operation.
8. Private source code sales for ransomware strains with no available decryptor have the potential to create more trouble for organizations worldwide.
These takeaways provide an overview of the situation with INC Ransom and “salfetka” and suggest potential shifts within the ransomware operation, including a new extortion site and the sale of the source code.