A cybercriminal going by the alias “salfetka” has recently claimed to be selling the source code of the INC Ransom ransomware-as-a-service (RaaS) operation, which was first launched in August 2023. This revelation comes after INC previously targeted notable entities such as the U.S. division of Xerox Business Solutions, Yamaha Motor Philippines, and most recently, Scotland’s National Health Service (NHS).

Amidst the alleged source code sale, significant changes are occurring within the INC Ransom operation. These developments may indicate a possible rift among core team members or an upcoming transition to a new phase involving the adoption of a new encryptor.

The individual behind the sale has announced the availability of both Windows and Linux/ESXi versions of the INC Ransom on hacking forums like Exploit and XSS. The seller is demanding $300,000 for the source code and has limited the number of potential buyers to three. Analysts from KELA, a threat intelligence firm, have confirmed the technical specifics mentioned in the forum post, such as the use of AES-128 in CTR mode and Curve25519 Donna algorithms, align with previous public analyses of INC Ransom samples.

The credibility of the sale is further reinforced by “salfetka” including URLs of both the old and new INC Ransom pages in their signature, indicating a strong affiliation with the ransomware operation. However, skepticism remains as it could potentially be a scam orchestrated by the threat actor to maintain authenticity by meticulously crafting their account’s history over the past few months.

On a separate note, INC Ransom has announced its transition to a new data leak extortion “blog” on May 1, 2024. The operators have shared a new TOR address and disclosed their intention to shutter the old leak site within two to three months. The new site is already live, displaying an overlapping victim list with the previous portal alongside twelve new victims, bringing the total to 64 (including 12 new victims) compared to the old site’s 91 entries.

Analysts from KELA have pointed out discrepancies between the two sites, suggesting potential leadership changes or operational splits within the organization. However, the acknowledgment of both sites by “salfetka” hints at the actor’s involvement across various facets of the operation. It is speculated that the creation of the new blog may be a strategic move to leverage additional profits from the ongoing source code sale.

The introduction of a new extortion page design for INC Ransom bears resemblance to that of Hunters International, hinting at a possible connection between the two RaaS operations. Private source code sales of ransomware strains without available decryptors can pose severe challenges for organizations globally, particularly when high-demand encryptors like the Linux/ESXi version are involved. These acquisitions empower threat actors, whether new entrants or seasoned groups, to enhance their capabilities with a well-established encryptor.

Furthermore, the reuse of source code from previous encryptors by ransomware gangs during rebranding efforts presents difficulties for researchers in linking older operations to new incarnations. Leveraging encryptors from other ransomware operations aids in obfuscating the trail for law enforcement and researchers, amplifying the operational security of malicious actors.

In conclusion, the evolving dynamics within the INC Ransom operation, coupled with the sale of its source code and shift to a new data leak platform, underscore the adaptability and resilience of cybercriminal entities in navigating the threat landscape. As ransomware continues to pose a significant security challenge, robust intelligence gathering and proactive security measures are paramount in combating such malicious activities.

Source link