Knight is a ransomware operation/group active by at least early 2024. The provided reporting states that Knight sold its source code in February 2024. Multiple sources in the content link Knight to later ransomware ecosystem developments: RansomHub is described as a suspected successor to Knight, and ESET states that RansomHub’s encryptor was built from repurposed Knight source code rather than written from scratch. Additional reporting notes links between RansomHub, ALPHV/BlackCat, and the former Knight ransomware group due to significant code overlap. Dragos observed Knight among ransomware groups affecting industrial organizations, with Knight accounting for 1.9% of incidents in the cited period (four incidents). High-confidence details in the provided content about Knight’s own technical behavior, infection vectors, targeted platforms, industries, or specific IOCs are otherwise not available.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a former ransomware group with reported code overlap/linkage to RansomHub; no further technical details provided.
A ransomware family whose source code was sold in February 2024 and later repurposed as the basis for the RansomHub encryptor.
Ransomware family listed among active groups impacting industrial organizations in Q4 2023; also noted as first observed by Dragos in Q4 2023.
Ransomware family referenced as the likely predecessor codebase to RansomHub (RaaS).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.