The alleged source code for the third iteration of the Knight ransomware is being offered for sale on a hacker forum by a representative known as Cyclops. Originally launched in July 2023, Knight ransomware re-branded from the Cyclops operation, targeting Windows, macOS, and Linux/ESXi systems. This particular ransomware gained attention for providing info-stealers and a ‘lite’ encryptor for lower-tier affiliates focusing on smaller organizations.
Cyber-intelligence firm KELA detected the sale advertisement on RAMP forums, emphasizing the sale of Knight 3.0 ransomware’s source code, including both the panel and locker, all coded in Glong C++. Version 3.0, released on November 5, 2023, introduced enhancements such as 40% faster encryption and a re-written ESXi module to support recent hypervisor versions. Notably, the seller, Cyclops, did not specify a price but stressed that the source code would only be sold to a single buyer, potentially preserving its value as a private and exclusive tool.
The motive behind selling the source code remains unclear, raising questions about the current status of the Knight ransomware operation. KELA’s dark web monitoring tools observed no activities from Knight’s representatives on various forums since December 2023. Additionally, the victim extortion portal is offline, with the last victim listed on February 8. With indications of inactivity, it’s plausible that the group is considering shutting down operations and selling their assets, presenting a shift in the threat landscape that cybersecurity experts closely monitor.
