HQ/EMEAFind out how we can help your business
A threat actor named “salfetka” claims to be selling the source code of INC ransomware, a ransomware-as-a-service (RaaS) business. INC became a notorious malicious entity after previously targeting the United States subsidiary of Xerox Business Solutions (XBS), Yamaha Motor Philippines, and Scotland’s National Health Service (NHS).
The INC Ransom operation is undergoing modifications that could indicate a break among its core team members or a shift to a new operation involving a new encryptor, increasing the legitimacy of this sold source code.
The threat actor offered both the Windows and Linux/ESXi versions of INC on the Exploit and XSS hacking forums and is looking to get $300,000 by limiting the number of potential purchasers to three.
A researcher stated that salfetka has been active in hacking forums since March 2024 and previously attempted to buy network access for up to $7,000 and gave initial access brokers a share of the ransomware attack proceeds.
The legitimacy of the INC ransomware source code is becoming convincing after salfetka has proof of its affiliation with the group.
According to investigations, the authenticity of the INC ransomware source code sale is that the seller has both the old and current INC Ransom page URLs in their signature. This detail shows that the hacker is associated with the ransomware operation.
However, the sale could be a fraud, with the threat actor maintaining the “salfetka” account over the last few months. The maintenance could indicate that the seller is interested in purchasing network access and establishing a high price to make the offer appear authentic.
On the other hand, INC Ransom declared on its old leak site that it would migrate to a new data leak extortion “blog” and revealed a new TOR address, emphasising that the old site would be shut down in the following months.
The new site is already live, and researchers are noticing some overlap with the former portal’s victim lists and twelve new victims who were not visible on the prior site.
As of now, the new site lists 64 victims, but the old site had 91 entries, indicating that approximately half of INC’s past victims have either complied with the group’s demands or worse.
The offered source code of a notorious ransomware group could either be legitimate or a scam. Still, researchers should monitor these latest developments to uncover more potential threats that this unexpected event could generate.
