A cybercriminal identified as “salfetka” is purportedly offering the source code for INC Ransom, a ransomware-as-a-service (RaaS) platform that emerged in August 2023. INC Ransom has previously launched attacks on notable entities such as Xerox Business Solutions (XBS) in the U.S., Yamaha Motor Philippines, and Scotland’s National Health Service (NHS).
Concurrently with this alleged sale, the INC Ransom operation is reportedly experiencing internal changes, which may suggest a split within its core team or a strategic move to a new phase involving an updated encryptor.
Source Code Sale
In a startling development, the source code for the notorious INC Ransom ransomware-as-a-service (RaaS) operation has surfaced on hacking forums, reportedly for a hefty sum of $300,000.
The seller, who goes by the alias “salfetka,” claims to offer both the Windows and Linux/ESXi versions of INC Ransom, making this an unprecedented opportunity for cybercriminals seeking to expand their malicious capabilities.
INC Ransom, which launched in August 2023, has made headlines for its high-profile attacks, including those on the U.S. division of Xerox Business Solutions (XBS), Yamaha Motor Philippines, and Scotland’s National Health Service (NHS).
The sale of its source code marks a significant shift in the ransomware landscape, indicating either internal discord within the INC Ransom team or a strategic pivot to a new operational phase involving an updated encryptor.
The source code sale was announced on prominent hacking forums Exploit and XSS, with “salfetka” limiting the number of potential buyers to three.
Threat intelligence experts at KELA, who first noticed the sale, confirmed that the technical details mentioned, such as the use of AES-128 in CTR mode and Curve25519 Donna algorithms, align with publicly analyzed samples of INC Ransom. This alignment lends credibility to the legitimacy of the sale.
KELA’s experts also noted that “salfetka” has been active on hacking forums since March 2024, previously seeking to buy network access for up to $7,000 and offering cuts to initial access brokers from ransomware attack proceeds. The inclusion of both old and new INC Ransom page URLs in “salfetka’s” forum signature further indicates a close affiliation with the ransomware operation.
However, skepticism remains. The sale could be a well-crafted scam, with “salfetka” having carefully built a credible presence over several months. Security researcher 3xp0rt highlighted that “salfetka” has been involved in ransomware forums under various aliases, including ‘rinc’ and ‘farnetwork,’ and has connections to multiple ransomware gangs such as Nokoyawa, JSWORM, Nefilim, Karma, and Nemty.
Despite these revelations, no public announcements have been made on either INC’s old or new sites regarding the sale of the source code. This lack of official communication leaves room for doubt about the authenticity and intentions behind the sale.
INC Ransom Moving to a New Site
Simultaneously with the source code sale, INC Ransom is undergoing significant operational changes. On May 1, 2024, INC Ransom announced on its old leak site that it would transition to a new data leak extortion blog, providing a new TOR address and indicating that the old site would be closed within two to three months. The new site is already active, featuring some overlap in victim lists with the old portal and adding twelve new victims not previously listed.
Currently, the new site lists 64 victims (including the 12 new ones), while the old site contains 91 posts, suggesting that roughly half of INC’s past victims are unaccounted for on the new site. KELA analysts speculate that these discrepancies may point to internal changes within the operation, such as a leadership shift or a split into different factions.
Interestingly, “salfetka” has referenced both the old and new sites in their communications, implying involvement in the broader operation rather than a single faction. This dual reference suggests that the new blog might have been created to maximize profits from the source code sale.
The design of INC’s new extortion page bears a visual resemblance to that of Hunters International, another RaaS operation, hinting at potential connections between the two. This resemblance could indicate strategic alliances or shared resources among ransomware groups.
Private sales of ransomware source code, especially for strains without available decryptors, pose significant risks to organizations worldwide. These sales attract both emerging threat actors and semi-established groups seeking more robust and tested encryptors.
The inclusion of a Linux/ESXi version is particularly concerning, given its higher development cost and complexity.
When ransomware gangs rebrand, they often reuse source code from older encryptors, helping researchers link past and present operations. Utilizing encryptors from other ransomware groups can also aid in rebranding efforts by obscuring traces for law enforcement and researchers.
As the INC Ransom saga unfolds, the cybersecurity community remains vigilant, monitoring these developments to mitigate potential threats and safeguard targeted organizations.