Industrial Spy threat actors have established a new Market Place mid-march 2022 where they publish stolen data from breached companies. The marketplace provides 3 tiers of data offerings:
The marketplace is not only promoted throughout the Darknet and Telegram channels, but also through a malware (variant #1) that is dropped onto victim’s computer and generates multiple readme files across desktop folders and operating system, as well as changing the system background theme to Industrial Spy’s logo.
End of May 2022, the Industrial Spy threat actors started to use a ransomware (variant #2) in addition to stealing and publishing data. They start with direct secret interactions with their victims and a couple of days later, they publish the stolen data in their marketplace.
Early June, the Industrial Spy ransomware gang started to compromise their victim’s corporate website in order to publicly display ransom notifications.
The vast majority of Industrial Spy targets are mainly from the US and western Europe (80%) while few victims are from Asia and South America.
The malware, named “tools.exe” has been uploaded multiple times in VirusTotal and received a malicious score of 52/66. It is dropped from known malwares and stealers. The malware generates multiple README files with Industrial Spy generic advertisements as depicted in Figure 1.
It also modifies the desktop background image as depicted in Figure 2.
The advised marketplace is hosted on a Tor website with the following address: http://spyarea23ttlty6qav3ecmbclpqym3p32lksanoypvrqm6j5onstsjad[.]onion
The marketplace provides 3 tiers of data offerings:
For each victim, the detailed list of stolen files is accessible so that buyers can select the precise files they want to download (see Figure 4).
End of May 2022, the Industrial Spy threat actors started to use a ransomware (variant #2) in addition to stealing and publishing data.
The Industrial Spy ransomware encrypt files on the system but does not modify their file extensions. While it encrypts files, the ransomware creates a ransomware note in README.html files (see Figure 5) in every folder of the device.
The analysis of the Industrial Spy ransomware relationships show that the Cuba ransomware family (variant #3) can also be associated to the same Threat Actors.
The Industrial Spy ransomware is detected by the following detection engines and rules:
HarfangLab is a cybersecurity software company, created in 2018 by former members of the Ministry of the Defense, major cybersecurity companies and the National Cybersecurity Agency of France (ANSSI), who have more than 25 years of experience in cyber defense.
HarfangLab was created to protect organizations' IT systems while preserving their digital integrity. To reach that goal, the company has developed a sovereign EDR (Endpoint Detection & Response) designed to protect the computers and servers of an IT system. Today, HarfangLab is the only EDR certified by the National Cybersecurity Agency of France (ANSSI).
Discover HarfangLab EDR from different angles
