The recently introduced data extortion marketplace called Industrial Spy has turned its illegal store into a full-blown ransomware operation. Researchers discovered last month that Industrial Spy was offering stolen data and sharing information with its members for free.
However, the latest data extortion campaign of the group revealed that it commenced its ransomware operation. Moreover, the research team discovered a new malware that contained a ransom note in the Industrial Spy operation instead of their commonly deployed promotional text.
The note indicated that the operators of the previously known marketplace had stolen the victim’s data and encrypted it. Furthermore, the note claimed that the operators would leak the encrypted data on the group’s leak site within three days if the target did not contact their team.
The ransom note also consisted of a TOX ID for its targets to reach them and start the negotiation of the ransom.
Industrial Spy may be bluffing about its encryption threat.
According to a separate researcher, their investigation showed that the Industrial Spy did not include a new extension to the encrypted file’s name despite claiming that they had encrypted their stolen data.
The researchers also noted that the ransomware used DES encryption that includes an RSA1024, which is a public encryption key. Moreover, the threat group sports a unique ransomware strain called oxFEEDBEEF filemarker.
The group’s ransomware operation also used a file name coded as “!! READ ME !! [.]txt”, which is the same as the ransom note deployed by the Cuba ransomware. Hence, there might be a link between these two malicious entities.
Researchers further proved the link between the two after they spotted the encrypted files have an appended [.]cuba extension.
Unfortunately, the earlier mentioned detail does not entirely connect the Industrial Spy to the Cuba ransomware since the former only used the latter group’s method to try its ransomware operation.
It is only natural that a data extortion operation can turn into a ransomware operation since it goes hand in hand. Experts should monitor the recent inclusion of Industrial Spy to the ransomware scene as this group is already equipped with competent data extortion capabilities.
