INC has previously targeted the U.S. division of Xerox Business Solutions, Yamaha Motor Philippines, and, more recently, Scotland's National Health Service.
Simultaneously with the alleged sale, the INC Ransom operation is undergoing changes that might suggest a rift between its core team members or plans to move to a new chapter that will involve using a new encryptor.
The threat actor announced the sale of both the Windows and Linux/ESXi versions of INC on the Exploit and XSS hacking forums, asking for $300,000 and limiting the number of potential buyers to just three.
According to information provided to BleepingComputer by threat intelligence experts at KELA, who spotted the sale, the technical details mentioned in the forum post, such as the use of AES-128 in CTR mode and Curve25519 Donna algorithms, align with public analysis of INC Ransom samples.
The threat actor was previously looking to buy network access for up to $7,000 and offered a cut to initial access brokers from ransomware attack proceeds.
Currently, there are no public announcements on INC's old or new site about selling the project's source code.
The new site is already up, and there's some overlap on the victims lists with the old portal, and twelve new victims not seen on the old site.
In total, the new site lists 64 victims, while the old has 91 posts, so roughly half of INC's past victims are missing.
It is also worth noting that INC's new extortion page design visually resembles that of Hunters International, which could indicate a connection with the other RaaS operation.
As opposed to a public leak that allows security analysts to crack the encryption of a ransomware strain, private source code sales of strains for which there's no available decryptor have the potential to create more trouble for organizations worldwide.
These ransomware builders are bought by highly motivated threat actors just entering the space or semi-established groups looking to up their game using a more robust and well-tested encryptor.
That is especially true when a Linux/ESXi version is on offer, which is generally more challenging to develop and costlier to acquire.
When ransomware gangs rebrand, they commonly reuse much of the source code from their old encryptors, allowing researchers to link older gangs to new operations.
Using other ransomware operation's encryptors can also help rebrand as it muddies the trail for law enforcement and researchers.
Lockbit's seized site comes alive to tease new police announcements.
INC Ransom threatens to leak 3TB of NHS Scotland stolen data.
Ransomware as a Service and the Strange Economics of the Dark Web.
Botnet sent millions of emails in LockBit Black ransomware campaign.
CISA: Black Basta ransomware breached over 500 orgs worldwide.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 13 May 2024 20:25:07 +0000