Knight ransomware source code for sale after leak site shuts down

The alleged source code for the third iteration of the Knight ransomware is being offered for sale to a single buyer on a hacker forum by a representative of the operation.

Knight ransomware launched at the end of July 2023 as a re-brand of the Cyclops operation, targeting Windows, macOS, and Linux/ESXi systems.

It gained some traction because it provided info-stealers and a ‘lite’ version of its encryptor for lower-tier affiliates that attacked smaller organizations.

Wiz

Threat analysts at cyber-intelligence firm KELA spotted the advertisement two days ago posted on RAMP forums by someone using the alias Cyclops, known as a representative of the Knight ransomware gang.

Sale post on the RAMP forums
Sale post on the RAMP forums (KELA)

“Selling the source code for Knight 3.0 ransomware, this will include the source code of the panel and the locker, all source code is owned and written in Glong C++,” says Cyclops in the post. 

Version 3.0 of Knight's locker was released on November 5, 2023, with 40% faster encryption, a re-written ESXi module to add support for more recent versions of the hypervisor, and various other improvements. 

Version 3.0 release announcement
Version 3.0 release announcement (KELA)

The threat actor did not specify a price but emphasized that the source code would only be sold to a single buyer, preserving its value as a private tool.

Cyclops said they would prioritize reputable users with a deposit and that the purchase would be conducted through a transaction guarantor either on RAMP or XSS hacker forum.

The seller has posted contact addresses for Jabber and TOX messaging services for potential buyers to reach out and negotiate a final deal.

KELA told BleepingComputer that the Jabber is new but the TOX ID listed on the forum post is known and previously associated with Knight, which adds legitimacy to the sale.

The reason behind selling the source code for Knight ransomware remains unclear but KELA’s dark web monitoring tools have logged no activities from Knight’s representatives on various forums since December 2023.

Also, the ransomware operation’s victim extortion portal is currently offline, the last victim being listed on February 8. Since July 2023, Knight claimed to have breached 50 organizations.

Based on the details from KELA, the Knight ransomware operation appears to have gone inactive for a while now, so it’s possible that the group is looking to close shop and sell their assets.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

RansomHouse upgrades encryption with multi-layered data processing

CyberVolk’s ransomware debut stumbles on cryptography weakness

US cybersecurity experts plead guilty to BlackCat ransomware attacks

Romanian energy provider hit by Gentlemen ransomware attack

Hacker claims to leak WIRED database with 2.3 million records