Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
The group suspiciously does not appear on hacker forums for a long time, but analysts still found one ad.
The creators of the Knight ransomware virus decided to sell the source code of their software. One of the representatives of the group, known under the pseudonym Cyclops, placed an ad on the RAMP platform.
Knight Ransomware, which first appeared in July 2023, attacks Windows, macOS, and Linux/ESXi operating systems. It is important to mention that hackers have upgraded the software, and they offer the latest version for sale – the third version with improved attack capabilities. The ad was discovered by analysts from KELA.
The Knight group once attracted the attention of the cybercrime community, as it provided affiliates with infostilers and a simplified version of the main virus. The simplified version is designed for attacks on small and medium-sized businesses, which expands the circle of potential buyers and increases the risk for companies with an unstable cyber defense system.
The announcement includes the sale of the "Knight 3.0" source code, including the control panel code and the cryptographer itself, written in Glong C++. The new version of the virus, released on November 5, 2023, features 40% faster encryption speed, an updated module to support the latest versions of the ESXi hypervisor, and other improvements.
The seller did not specify a specific price, but stressed that the code will be sold to a single buyer in order to preserve its exclusivity. Cyclops will review offers from trusted buyers who are willing to make an advance payment, and specifies that the transaction will be made through a reliable intermediary on the RAMP or XSS forums. Contacts in the Jabber and TOX messengers were specified to contact potential buyers.
KELA specialists, commenting on the situation, noted that the new address in Jabber does not cause suspicion, and the TOX identifier was already associated with Knight's activities, which gives the offer additional legitimacy.
While the reasons for selling the source code remain unclear, analysts from KELA note that Knight participants have not shown any activity at cyberforums since December 2023. Their leak site is currently down. It can be assumed that the hackers decided to quit the game altogether and sell off the last assets.
The creators of the Knight ransomware virus decided to sell the source code of their software. One of the representatives of the group, known under the pseudonym Cyclops, placed an ad on the RAMP platform.
Knight Ransomware, which first appeared in July 2023, attacks Windows, macOS, and Linux/ESXi operating systems. It is important to mention that hackers have upgraded the software, and they offer the latest version for sale – the third version with improved attack capabilities. The ad was discovered by analysts from KELA.
The Knight group once attracted the attention of the cybercrime community, as it provided affiliates with infostilers and a simplified version of the main virus. The simplified version is designed for attacks on small and medium-sized businesses, which expands the circle of potential buyers and increases the risk for companies with an unstable cyber defense system.
The announcement includes the sale of the "Knight 3.0" source code, including the control panel code and the cryptographer itself, written in Glong C++. The new version of the virus, released on November 5, 2023, features 40% faster encryption speed, an updated module to support the latest versions of the ESXi hypervisor, and other improvements.
The seller did not specify a specific price, but stressed that the code will be sold to a single buyer in order to preserve its exclusivity. Cyclops will review offers from trusted buyers who are willing to make an advance payment, and specifies that the transaction will be made through a reliable intermediary on the RAMP or XSS forums. Contacts in the Jabber and TOX messengers were specified to contact potential buyers.
KELA specialists, commenting on the situation, noted that the new address in Jabber does not cause suspicion, and the TOX identifier was already associated with Knight's activities, which gives the offer additional legitimacy.
While the reasons for selling the source code remain unclear, analysts from KELA note that Knight participants have not shown any activity at cyberforums since December 2023. Their leak site is currently down. It can be assumed that the hackers decided to quit the game altogether and sell off the last assets.
