Knight Ransomware Detection: 3.0 Ransomware Source Code Available for Sale

The source code for Knight ransomware, a rebrand of Cyclops RaaS operation, is available for sale on a hacking forum. Researchers revealed a recent advertisement posted on the RAMP forum by an individual threat actor under the moniker Cyclops who belongs to the Knight ransomware gang. The source code for Knight ransomware version 3.0 is exclusively offered to a single buyer, maintaining its worth as a proprietary tool.

Detecting Knight Ransomware

Ransomware remains a number one threat for businesses globally, with 70% of organizations worldwide falling victim to ransomware operations and the average cost of a ransomware attack reaching $4.5 million. To stay ahead of emerging threats becoming more complex and massive, security practitioners are searching for advanced solutions to streamline threat hunting investigations and ensure proactive cyber defense. SOC Prime Platform offers the world’s largest detection content repository for the latest TTPs accompanied by exclusive SaaS solutions for Threat Hunting and Detection Engineering. 

In view that Knight ransomware source code has leaked online, security experts anticipate a surge in attacks relying on this malware strain. To detect possible Knight ransomware attacks, cyber defenders might apply curated detection rules listed in SOC Prime’s Threat Detection Marketplace. 

Hit the Explore Detections button below and drill down to the relevant detection stack against Knight attacks. All the rules are compatible with 28 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK v14.1. Additionally, detections are enriched with relevant metadata, including attack timelines and CTI references. 

Explore Detections

To help security professionals protect against nefarious ransomware actors, SOC Prime Platforms aggregates hundreds of rules to detect associated malicious activity. Just follow this link to explore a matching set of detections.

Knight Ransomware Analysis

The Knight ransomware, the successor of the Cyclops RaaS, arrived in the cyber threat landscape in the summer of 2023, focused on targeting Windows, macOS, and Linux operating systems. The ransomware has promptly gained the spotlight by offering information stealers and a lite encryptor to lower-tier affiliates targeting smaller organizations. As its predecessor, Knight operated under the RaaS model, offering infostealers capable of uploading encrypted files to servers and commonly leveraging spam emails with malicious attachments.

Defenders have recently noticed a post on the RAMP forum attributed to a hacker with the alias Cyclops who is believed to be a representative of the Knight ransomware operators. The Knight 3.0 ransomware package for sale includes the control panel and the encryption (“locker”) mechanism. The seller asserts that the complete source code is proprietary and is written in Glong C++ . The upgraded ransomware version 3.0 was released in late fall 2023, boasting 40% faster encryption, an improved ESXi module to accommodate newer iterations of the hypervisor and a set of other enhanced capabilities. 

The seller mentioned that preference would be given to reputable users who make a deposit and that the transaction would be facilitated through a transaction guarantor on either the RAMP or XSS hacker forum. The seller also stated that the source code would be offered for sale only once, indicating an effort to preserve the exclusivity and potentially significant value of the ransomware. Since the victim extortion portal of the ransomware operation is currently unavailable and the Knight ransomware campaign has been inactive for quite a while, threat actors might be considering ceasing malicious operations and liquidating their assets, which could be a potential reason for selling the ransomware source code.

The source code availability for sale on the dark web gives adversaries the green light to enhance their adversary toolkit and launch more cyber attacks. To gain a competitive advantage over offensive forces, defenders are striving to be proactive and continuously accelerate their threat detection and hunting velocity. With access to Uncoder AI, an advanced IDE for Detection Engineering, defenders can write detection code against emerging threats faster and smarter, rely on AI-generated recommendations and intelligence for streamlined threat research, and automatically translate detection algorithms across multiple cybersecurity languages.