The source code of the notorious INC Ransom, a ransomware-as-a-service (RaaS) operation, has surfaced on hacking forums for $300,000, the tech news site BleepingComputer reported.
INC Ransom, launched in August 2023, previously targeted high-profile entities including the US division of Xerox Business Solutions (XBS), Yamaha Motor Philippines, and Scotland's National Health Service (NHS).
The ransomware source code was put up for sale on the Exploit and XSS hacking forums by an individual who goes online as “salfetka.” The announcement of the sale includes both the Windows and Linux/ESXi versions of INC.
Security researchers at threat intelligence firm KELA have confirmed the authenticity of the sale, noting that technical details provided by “salfetka” align with public analysis of INC Ransom samples. “Salfetka” has been an active presence on hacking forums since March 2024, previously engaging in activities such as seeking to purchase network access and offering cuts from ransomware attack proceeds to initial access brokers.
The legitimacy of the sale is further bolstered by "salfetka" including URLs of both the old and new INC Ransom page URLs on their signature, indicating they are affiliated with the ransomware operation. However, it’s possible that the sale could be an elaborate scam orchestrated by the threat actor, BleepingComputer notes.
Additionally, the INC Ransom operation appears to be undergoing significant changes. On May 1, 2024, INC Ransom announced its transition to a new data leak extortion blog, with a new TOR address. The old leak site is slated for closure within the next two to three months. Interestingly, the design of the new extortion page bears similarity to that of Hunters International, hinting at a potential connection between the two RaaS operations.
