Last month, a new data extortion marketplace, dubbed Industrial Spy, was discovered. It was found selling stolen data and sharing some for free with its members. However, the gang has now commenced its own ransomware operation as it has started encrypting victims’ devices.

Diving into details

MalwareHunterTeam discovered a new malware sample containing a ransom note instead of a promotional text.
  • The note states that the gang has stolen the victim’s data, along with encrypting it.
  • The note, furthermore, claims to leak the stolen data on the Industrial Spy Market in three days, if no contact is made.
  • The ransom note contains a TOX ID for victims to make contact with the group and negotiate a ransom.

Why this matters

  • While Industrial Spy’s claim to encrypt files is true, as investigated by Bleeping Computer, it doesn’t add a new extension to the encrypted file’s name.
  • Moreover, it is believed that the ransomware uses DES encryption, with an RSA1024 public encryption key.
  • Another unique feature observed is the usage of the oxFEEDBEEF filemarker, which has not previously been used by any other ransomware family.


  • Upon uploading a ransomware sample to VirusTotal, MalwareHunterTeam observed a ransom note with the same TOX ID and email address.
  • Nevertheless, instead of connecting to Industrial Spy’s Tor server, the note links to the data leak site belonging to Cuba ransomware.
  • In addition to this, it uses the same file name—!! READ ME !!.txt—as ransom notes by Cuba.
  • The encrypted files, further, have the .cuba extensions appended.

While the above does not link Industrial Spy to Cuba completely, it is very likely that the group used information from the latter while testing out its own ransomware.

The bottom line

Data extortion and ransomware go hand in hand. Being a new entrant to the threat landscape, Industrial Spy is trying to make a name for itself. While it has not become much of a threat yet, security analysts are recommended to keep an eye on it to check its progress as a potent threat.

Cyware Publisher