Hacker offers INC ransomware for $300,000

Researchers noticed that the source code of the INC ransomware (aka Inc Ransom), which operated under the Ransomware-as-a-Service (RaaS) scheme since August 2023, was put up for sale on the darknet.

Let us recall that previously such large companies as the American division of Xerox Business Solutions and the Philippine division of Yamaha MotorA National Health Service Scotland (NHS).


Now, according to the publication Bleeping Computerwhich cites information received from KELA analysts, not only is the source code of the ransomware put up for sale, but there has likely been a split between members of the hacking group.

Thus, someone under the nickname salfetka announced the sale of Windows and Linux/ESXi versions of INC on the Exploit and XSS hacker forums, asking 300,000 for the malware and limiting the number of potential buyers to only three.

According to KELA, the technical details mentioned in the sales announcements (including the use of AES-128 in CTR mode and Donna's Curve25519 algorithm) are consistent with INC Ransom's earlier public analysis of samples.

In addition, experts note that salfetka has been active on hacker forums since March 2024. For example, he previously tried to buy access to the network of an unnamed organization for $7,000 and offered the seller a share of the ransom that would be received during a future extortion attack. In addition, salfetka's signature lists the URLs of the old and new INC Ransom pages, which also indicates its likely connection to ransomware.


However, researchers do not exclude that the sale of source codes may be fraudulent, and salfteka specifically prepared this account for several months.

At the same time, at present, neither on the old nor on the new INC website there have been public statements about the sale of the project’s source code.

Researchers explain that on May 1, 2024, the group announced on its old website (left in the illustration below) that it was moving to a new “blog” and indicated a new Tor address, stating that the old site would be closed in two to three months. The new site (on the right in the illustration below) is already working, and the list of victims on it includes a number of companies that appeared on the old portal, but the data of twelve more new victims that were not on the old resource are published here.

In total, the group’s “blog” lists 64 victims (12 new), while the old site contained information about 91 affected companies. That is, data on about half of INC's past victims is missing.

“The discrepancies between the two sites may indicate a change in leadership or a split into different groups,” KELA analysts said. “However, the fact that salfetka refers to both sites as his projects suggests that he may be associated with both of them. In this case, it is possible that the new blog was created in an attempt to gain more profit from the sale.”

Experts write that unlike the public leak of malware source codes, which usually allows analysts to crack the ransomware, the private sale of ransomware source codes for which there is no decryptor can create many problems for organizations around the world.

As a rule, such builders are purchased by highly motivated attackers who have just entered this field, or by already established hacking groups who want to increase their efficiency by using a more reliable and proven encryptor. This is especially true if a Linux/ESXi version is available, which is usually more difficult to develop and purchase.