Threat Research

Technical Analysis of Industrial Spy Ransomware

Securonix

Industrial Spy is a relatively new ransomware group that emerged in April 2022, starting with data extortion and later adding encryption for double extortion. The group operates a dark web marketplace to exfiltrate and monetize stolen data, while its ransomware uses RSA and 3DES and shows minimal anti-analysis features. #IndustrialSpy #ThreatLabz

Keypoints

  • Industrial Spy emerged in April 2022 and progressed from data extortion to including ransomware in double-extortion campaigns.
  • The group exfiltrates and sells stolen data on a dark web marketplace, and does not always encrypt victims’ files.
  • The ransomware encrypts files using 3DES with per-file RSA-encrypted keys and appends a 0xFEEDBEEF footer to identify encrypted data.
  • The malware is relatively basic and lacks many anti-analysis/obfuscation features seen in other modern families.
  • Industrial Spy adds roughly two to three victims per month on its data leak portal.
  • Two primary executables exist: a non-destructive “promoter” binary distributed with cracks/adware/loaders, and the actual ransomware that encrypts files.

MITRE Techniques

  • [T1490] Inhibit System Recovery – “Similar to other ransomware families, Industrial Spy deletes Windows shadow copies to make file recovery more difficult.”
  • [T1083] File and Directory Discovery – “If no arguments are given, Industrial Spy will enumerate all drives and start one thread per volume (if it is not read-only). Each thread will recursively enumerate and encrypt files.”
  • [T1486] Data Encrypted for Impact – “Industrial Spy encrypts each file’s content with the Triple DES (3DES) algorithm. Each 3DES key and initialization vector (IV) are then encrypted with a hardcoded RSA public key. The result is appended with a footer to the encrypted file data.”
  • [T1070.004] File Deletion – “Self-delete” after encryption, demonstrating indicator removal.
  • [T1041] Exfiltration – “The threat group exfiltrates and sells data on their dark web marketplace”
  • [T1105] Ingress Tool Transfer – “Two primary executables … The first binary … distributed using cracks, adware and other malware loaders” (distributed in-the-wild with loaders such as SmokeLoader, GuLoader and Redline Stealer).

Indicators of Compromise

  • [SHA256] Industrial Spy ransomware (debug build) – 8a5c7fff7a7a52dca5b48afc77810142b003b9dae1c0d6b522984319d44d135a
  • [SHA256] Industrial Spy ransomware – dfd6fa5eea999907c49f6be122fd9a078412eeb84f1696418903f2b369bec4e0
  • [File name] readme.html – ransom note dropped in directories that contain a note about the data leak site

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint