Industrial Spy ransomware uses double extortion attacks that combine data theft with file encryption

Researchers from Zscaler released details of the Industrial Spy ransomware group that after their initial promotional campaigns introduced their own ransomware to create double extortion attacks that combine data theft with file encryption. The threat group appears to have also seemingly tried Cuba ransomware briefly before developing their own ransomware in May this year.

A relatively new group that emerged in April, Industrial Spy began by offering a data extortion marketplace where criminals could buy large companies’ internal data. The group promoted this marketplace using README.txt files that were downloaded using malware downloaders disguised as cracks and adware. Subsequently, they brought in their own ransomware to create double extortion attacks that combine data theft with file encryption. 

“There are two primary executables associated with Industrial Spy. The first binary does not implement any destructive functionality, while the second performs file encryption, Zscaler researchers wrote in a blog post this week. “The former has been mainly distributed using cracks, adware, and other malware loaders. Zscaler ThreatLabz has observed this binary being distributed in-the-wild with other loaders and stealers involving SmokeLoader, GuLoader, and Redline Stealer. The sole purpose of this malware is to promote their dark web marketplace; it does not inflict any actual damage to the targeted system,” they added.

Zscaler assessed that Industrial Spy is a new entrant in the ransomware ecosystem. “The malware is not currently very sophisticated, but the file encryption is functional making it a dangerous threat. Furthermore, Industrial Spy is consistently adding new victims, proving that the threat group has the capabilities to breach new organizations. Many players come and go in the ransomware market and it is difficult to determine the groups that will stay for the long term. However, this threat group is likely to stay at least in the near future with more ransomware updates and features to follow,” it added. 

In June, Trend Micro said that it observed a resurgence of the Cuba ransomware group in March and April this year that exploits a new malware variant, which optimizes updated infection techniques. While the updates to Cuba ransomware did not change much in terms of overall functionality, Trend Micro has ‘reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate.’

The Federal Bureau of Investigation (FBI) warned last December of ransomware hackers that it referred to as ‘Cuba ransomware’ hackers have compromised at least 49 entities in five critical infrastructure sectors, including organizations in the financial, government, healthcare, manufacturing, and information technology industries.

Zscaler said that the total victim count as of Jul. 25, this year was 37, and broken down into 24 victims in the free classification, 13 targets in the general category, and zero in the premium section. “Industrial Spy is mostly selling individual files (in the General category) instead of file bundles in the price range from $1 to tens of thousands of dollars. The group likely reviews the files before deciding whether to put a high price tag on sensitive files and dumps the rest of the files with a $1 to $2 price tag,” it added.

The Industrial Spy ransomware line is relatively basic and parts of the code appear to be in development, Zscaler said. Industrial Spy utilizes very few obfuscation methods other than building strings on the stack at runtime. The ransomware also lacks many of the features commonly seen in modern ransomware families, such as anti-debug, and anti-sandbox, although this may change in the future, it added.

Currently, there are not many Industrial Spy ransomware samples that have been observed in-the-wild. However, the group is consistently adding roughly two new victims per month on their data leak portal.

The Industrial Spy ransomware encryption and decryption both are handled by the same binary. Simplified steps taken by the ransomware include parsing command-line arguments, deleting shadow copies, starting an encryption thread to encrypt all drives or given paths, and self-delete. Similar to other ransomware families, Industrial Spy deletes Windows shadow copies to make file recovery more difficult.

On execution, Industrial Spy checks whether an RSA public or RSA private key is embedded in the binary. Depending on the type of key, the ransomware will encrypt or decrypt files, Zscaler said.

“Interestingly, it will always delete shadow copies irrespective of the mode. If command-line arguments are provided, Industrial Spy will start a thread to recursively encrypt files for each path argument that is provided,” the researchers disclosed. “If no arguments are given, Industrial Spy will enumerate all drives and start one thread per volume (if it is not read-only). Each thread will recursively enumerate and encrypt files. All files for which the extension and path does not fall under the exclusion list will be encrypted,” they added.

During encryption, if the targeted file is locked by another process, Industrial Spy will attempt to terminate the process that holds the corresponding file handle, using the Restart Manager API.

“Industrial Spy encrypts each file’s content with the Triple DES (3DES) algorithm. Each 3DES key and initialization vector (IV) are then encrypted with a hardcoded RSA public key,” the researchers said. “The result is appended with a footer to the encrypted file data. Industrial Spy will encrypt up to the first 100MB of data. Since 3DES is a block cipher, each block is padded accordingly with NULL (0x00) bytes to form a multiple of 24 bytes,” they added.

After encryption, the original file content is overwritten, according to Zscaler. “Unlike nearly all ransomware families, Industrial Spy does not change the file extension after encryption. Therefore, the filename itself cannot be used to determine the files that have been encrypted. Instead, Industrial Spy appends a file footer that can be used to identify encrypted files using the last four bytes: 0xFEEDBEEF,” it added.

Industrial cybersecurity company Nozomi Networks said in its latest OT/IoT security report that wiper malware, IoT botnet activity, and the Russia/Ukraine war impacted the threat landscape in the first six months of this year. It also found that cybercriminals have changed their tactics, focused on new targets, and increased their attack frequency. Meanwhile, companies are fighting the endless battle of making industrial processes more efficient without compromising security.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.