The creators of the Knight Monk virus have made the decision to sell their source code. A representative of the group, known by the alias Cyclops, posted an advertisement on the RAMP platform.
Knight Ransomware, which initially emerged in July 2023, is capable of attacking operating systems such as Windows, MacOS, and Linux/ESXI. The hackers behind the virus have upgraded their software to the latest version – the third iteration, equipped with enhanced capabilities for cyber attacks. Analysts from Kela were the ones to spot the announcement.
Previously, the Knight group gained attention within the cybercrime community by offering affiliates a simplified version of their main virus for targeting small and medium-sized businesses. By expanding the potential buyer pool, this also raised the risk for companies with weaker cybersecurity defenses.
The announcement details the sale of the “Knight 3.0” source code, which encompasses the control panel code and the main code, both written in the Glong C++ language. Released on November 5, 2023, the new version boasts a 40% increase in encryption strength, an updated module supporting the latest ESXI hypervisor versions, and other enhancements.
Although the seller did not specify a price, it was emphasized that the code would be sold exclusively to a single buyer. Cyclops is open to considering offers from reputable buyers willing to provide an advance payment and has indicated that the transaction will be conducted through a trusted intermediary on RAMP or XSS forums. Contact information for potential buyers was provided for communication via Jabber and Tox messengers.
Kela experts, weighing in on the matter, mentioned that the new Jabber address raises no red flags, while the TOX identifier has already been linked to Knight, lending additional credibility to the offer.
While the motives behind selling the source code remain unclear, Kela analysts observed that members of the Knight group have been inactive on cyber forums since December 2023, and their leak site is currently non-operational. This suggests that the hackers may have chosen to step away from the cyber realm and sell off their latest assets.