The world of cybercrime continues to evolve, and a recent development involving the INC Ransomware operation highlights this ongoing trend. According to threat intelligence experts at KELA, a cybercriminal using the alias “salfetka” has allegedly posted an offer on Exploit and XSS hacking forums to sell the source code for both the Windows and Linux/ESXi versions of INC Ransomware. This RaaS (Ransomware-as-a-Service) has gained notoriety for targeting organizations like the U.S. division of Xerox Business Solutions (XBS), Yamaha Motor Philippines, and most recently, Scotland’s National Health Service (NHS).
The alleged source code sale
Source: Bleeping Computers
The asking price for this controversial source code sale is a hefty $300,000, with “salfetka” limiting the number of potential buyers to just three. While the legitimacy of the offer remains unconfirmed, details mentioned in the forum post, such as the use of AES-128 in CTR mode and Curve25519 Donna algorithms, align with public analysis of INC Ransomware samples gathered by security researchers. KELA’s investigation into “salfetka’s” activity on the Darkweb reveals participation since March 2024, with past attempts to buy network access for up to $7,000 and offers to share proceeds with initial access brokers involved in ransomware attacks. Further bolstering the potential legitimacy of the sale is “salfetka’s” inclusion of both the old and new INC Ransom page URLs in their signature, suggesting affiliation with the ransomware operation.
However, caution is warranted. The high price tag and “salfetka’s” curated online presence over the past few months could be a carefully crafted scheme. Currently, there are no official announcements on INC’s old or new extortion sites regarding the sale of their source code.
INC Ransomware Migrates to Fresh Platform
Adding another layer of intrigue to this story, INC Ransom announced on May 1, 2024, that it would be migrating to a new data leak extortion “blog.” This new platform boasts a new TOR address and signifies the closure of the old site within the next two to three months. The new site is already operational, with some overlap in victim lists from the previous portal. Notably, twelve new victims are listed that were not present on the older site.
The new INC Ransom extortion site
Source: BleepingComputer
This discrepancy in victim data has led KELA’s analysts to speculate on a potential leadership change within the INC Ransomware operation, or even a split into different groups. However, “salfetka’s” reference to both sites as affiliated projects suggests a broader role beyond a single faction. An alternative theory proposed by KELA is that the new blog’s creation serves as a tactic to attract more buyers for the alleged source code sale. The new extortion page design on INC’s platform bears a striking resemblance to that of Hunters International, another RaaS operation, potentially hinting at a connection between the two.
The Perils of Private Source Code Sales
Unlike public leaks that empower security researchers to potentially crack ransomware encryption, private source code sales pose a significant threat. These transactions equip highly motivated cybercriminals with robust and well-tested encryption tools, fueling further ransomware attacks. The availability of a Linux/ESXi version in this alleged sale is particularly concerning, as such variants are more challenging to develop and acquire.
Rebranding is a common tactic employed by ransomware gangs. By reusing portions of their old codebase in new operations, researchers can establish connections between past and present activities. Additionally, adopting the encryptor of another ransomware operation can obfuscate their trail, making it more difficult for law enforcement and security experts to track their movements.
The potential sale of INC Ransomware’s source code signifies a concerning development in the cybercrime landscape. This incident underscores the importance of robust cybersecurity measures for organizations of all sizes.