The data extortion marketplace, Industrial Spy, launched its own ransomware operation where they encrypt victims’ devices. It was reported that Industrial Spy is allowing threat actors and business competitors to buy various forms of data stolen from companies. Prices for this data range from millions of dollars for “premium” data to individual files for $2. Threat actors partnered with adware loaders and fake crack sites to distribute malware to create README.txt files on a device to promote their service. These files were used by threat actors to promote their marketplace, explaining that readers may buy schemes, drawings, technologies, political and military secrets, accounting reports, and competitors’ client databases.
According to security researchers, a new sample of the Industrial Spy malware was discovered that appeared to be more like a ransom note than a promotional text file. The ransom note explains that the Industrial Spy threat actors not only stole but also encrypted the victim’s data. The Industrial Spy ransom note reads, “Unfortunately we have to report you that your company was compromised. All your files were encrypted, and you can’t restore them without our private key. Trying to restore it without our help may cause complete loss of your data. Also, we researched whole your corporate network and downloaded all your sensitive data to our servers. If we will not get any contact from you in 3 next days, we will publish your data on the site ‘Industrial Spy Market’.”
The cybersecurity company sent the malware sample to BleepingComputer to confirm if it encrypted files as it said. In the subsequent tests, the Industrial Spy ransomware did encrypt files; however, unlike most ransomware families, it doesn’t append a new extension to encrypted file names as shown below.
A ransomware expert examined the sample and believed it to employ DES encryption with the use of an RSA1024 public key. A filemarker of 0xFEEDBEEF is used, which hasn’t been seen before in a ransomware family. This filemarker, however, shouldn’t be confused with 0xDEADBEEF, a well-known programming magic debug value. The Industrial Spy ransomware creates the ransom note named “README.html” in every folder on the device while encrypting files. Victims can use the TOX id on the ransom notes to contact the ransomware group and negotiate.
The cybersecurity researchers further discovered a peculiar connection to the Cuba ransomware operation while examining the TOX ID and email address found in the ransom note. A ransom note with a similar TOX ID and email address was generated by a ransomware sample uploaded to VirusTotal. It links to the data leak site for Cuba ransomware and uses the same file name instead of linking to the Industrial Spy Tor site. Additionally, the encrypted files carry the .cuba extension, like the regular Cuba ransomware operations do when encrypting files. Even though this doesn’t prove a direct link between the two groups, it’s possible that the Industrial Spy threat actors are using Cuba’s information while testing their ransomware creation. It’s unusual and something security researchers and analysts will need to keep an eye on.
With data extortion marketplaces like Industrial Spy looking to launch their own ransomware operation, it’s critical for companies to always remain alert to the current threat landscape and maintain backups of valuable data offsite to avoid paying a ransom and losing business-critical resources. At SpearTip, our certified engineers handle companies’ cyber incident response at our 24/7/365 Security Operations Center and continuously monitor networks for potential ransomware threats. Our cutting-edge ShadowSpear Platform delivers cloud-based solutions collecting endpoint logs. Additionally, ShadowSpear detects sophisticated unknown and advanced ransomware threats with comprehensive insights using unparalleled data normalization and visualizations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.