Article Details
Scrape Timestamp (UTC): 2024-02-20 16:32:17.204
Original Article Text
Click to Toggle View
Knight ransomware source code for sale after leak site shuts down. The alleged source code for the third iteration of the Knight ransomware is being offered for sale to a single buyer on a hacker forum by a representative of the operation. Knight ransomware launched at the end of July 2023 as a re-brand of the Cyclops operation, targeting Windows, macOS, and Linux/ESXi systems. It gained some traction because it provided info-stealers and a ‘lite’ version of its encryptor for lower-tier affiliates that attacked smaller organizations. Threat analysts at cyber-intelligence firm KELA spotted the advertisement two days ago posted on RAMP forums by someone using the alias Cyclops, known as a representative of the Knight ransomware gang. “Selling the source code for Knight 3.0 ransomware, this will include the source code of the panel and the locker, all source code is owned and written in Glong C++,” says Cyclops in the post. Version 3.0 of Knight's locker was released on November 5, 2023, with 40% faster encryption, a re-written ESXi module to add support for more recent versions of the hypervisor, and various other improvements. The threat actor did not specify a price but emphasized that the source code would only be sold to a single buyer, preserving its value as a private tool. Cyclops said they would prioritize reputable users with a deposit and that the purchase would be conducted through a transaction guarantor either on RAMP or XSS hacker forum. The seller has posted contact addresses for Jabber and TOX messaging services for potential buyers to reach out and negotiate a final deal. KELA told BleepingComputer that the Jabber is new but the TOX ID listed on the forum post is known and previously associated with Knight, which adds legitimacy to the sale. The reason behind selling the source code for Knight ransomware remains unclear but KELA’s dark web monitoring tools have logged no activities from Knight’s representatives on various forums since December 2023. Also, the ransomware operation’s victim extortion portal is currently offline, the last victim being listed on February 8. Since July 2023, Knight claimed to have breached 50 organizations. Based on the details from KELA, the Knight ransomware operation appears to have gone inactive for a while now, so it’s possible that the group is looking to close shop and sell their assets.
Daily Brief Summary
The alleged source code for Knight ransomware version 3.0 is being offered for sale by the operation's representative on a cybercriminal forum.
Knight ransomware, a re-brand of Cyclops, targets a variety of systems and offers a 'lite' version for smaller-scale affiliates.
Cyber-intelligence firm KELA observed the sale announcement on the RAMP forums by a user known to represent the Knight group.
The advertisement promises exclusive sale of the source code, including the encryption panel and locker, to maintain its value.
The seller, using the alias Cyclops, has not mentioned a specific price but insists on a deposit from reputable buyers with the transaction guaranteed through RAMP or XSS forums.
Contact details for the potential transaction have been provided by the seller, adding legitimacy to the offer.
Activity from Knight ransomware representatives has ceased on various forums since December 2023, and the victim extortion portal went offline in February 2024.
KELA suggests that the inactivity of the Knight ransomware operation might indicate a move to exit the criminal business by selling off their assets.