A new ransomware group, dubbed Industrial Spy, has emerged on the threat landscape. The group was first spotted in April when it started as a data extortion marketplace.
Zscaler Threat Labz has observed the Industrial Spy ransomware group that practices double extortion tactics.
The group first emerged as a marketplace and advertise itself using README[.]txt files downloaded using malware downloaders, masked as cracks and adware.
At that time, it was observed only exfiltrating and selling data on dark web marketplaces, without encrypting the victim’s data.
After initial campaigns, in May, the threat group introduced its own ransomware for double extortion attacks, bringing encryption along with data theft.
The Industrial Spy ransomware family is basic and some parts of the code seem to be under development.
The ransomware uses a combination of 3DES/RSA to encrypt files.
There are two main executable files. The first binary does not come with any destructive functionality, while the second performs file encryption.
The first binary spreads using cracks, adware, and loaders and advertises the marketplace.
This harmless binary was spotted in the wild with other loaders and stealers such as GuLoader, Redline Stealer, and SmokeLoader, with the sole purpose of promoting the marketplace.
However, the malware lacks the common functionalities of modern ransomware, such as anti-sandboxing and anti-debugging.
It has reportedly studied Cuba ransomware briefly before creating its own ransomware.
The group is active and adds new victims every month to its data leak portal. As of July 25, the list shows a total of 37 victims.
Industrial Spy is a new and quite unsophisticated ransomware family, although the attackers behind it are very active. The recent addition of a file encryption mechanism makes it a potential threat. Thus, it is suggested to keep an eye on such threats and take timely actions before they give any major surprise to the cybersecurity community.