A new ransomware group dubbed Industrial Spy that first emerged in April 2022 is specializing in exfiltration and double extortion tactics and has the potential to do significant damage, Zscaler’s threat tracking team said.
The threat crew has shown that it possesses the capability to breach organizations and have been “actively adding unencrypted data from two- three victims every month,” Zscaler said. In some instances, the threat group appears to only exfiltrate and ransom data. In other cases, they encrypt, exfiltrate and ransom data, the San Jose, California-based cloud security provider said.
Threat Actor Mystery
At this point, it’s not clear who's behind the threat entry or if it's nation-state affiliated. The group started as a data extortion marketplace where criminals could buy large companies' internal data, promoting the marketplace through Readme.txt files downloaded using malware downloaders.
In May, 2022, the threat group introduced their own ransomware to create double extortion attacks that combine data theft with file encryption.
Currently, there are not many Industrial Spy ransomware samples that have been seen in-the-wild.
What you need to know:
- Industrial Spy started by ransoming stolen data and more recently has combined these attacks with ransomware.
- The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.
- The ransomware utilizes a combination of RSA and 3DES to encrypt files.
- Industrial Spy lacks many common features present in modern ransomware families.
- The Industrial Spy ransomware family is relatively basic and parts of the code appear to be in development.
How MSSPs and MSPs Can Mitigate Ransomware Attack Risks
The CISA, FBI and UK authorities have repeatedly warned MSPs about inbound cyberattacks. The latest joint warning, issued in May 2022, included 12 tips to help MSPs reduce ransomware cyberattack threat risks. Separately, Microsoft issued a ransomware cyberattack warning to small businesses and their IT service providers in July 2022.