11 December 2024

Industrial Spy fact sheet

Documentations

Introduction

Industrial Spy is the predecessor of The Underground Team. First appearing in April 2022, the
group is suspected of having also participated in the deployment of the Cuba ransomware.

At first, the group only launched threats and did data exfiltration with ransom demands, then they
used ransomware with a double extortion system (a ransom demand for data decryption and a
ransom demand for non-disclosure of the stolen data).

The first victim of the ransomware is recorded on 03/15/2022.

Technical elements

  • Change of the victim’s wallpaper

Papier peint de la victime

  • Removal of vss (Volume Snapshop Service, a Windows utility for computer backup)
  • Change of registry keys to recursively deposit the ransom note in all directories
  • Self-removal of ransomware to erase its traces
  • Ransom note with .onion link (darkweb url extension) to contact operators
  • Use of 3DES + RSA algorithm for encryption
  • An encryption exception is made for directories containing the string:
    • Windows
    • Microsoft
    • google\chrome
    • mozilla\firefox
    • \opera
  • Blacklist of specific extensions (to avoid compromising the system and target only important files
    such as doc, pdf)
  • Use of a “temp.cmd” script after encryption to remove all traces (log via wevtutil and
    self-destruct).

GLIMPS Malware detection

GLIMPS Malware Expert’s string extraction module enables ransom note recovery

Note de rançon Industrial Spy

It also includes a Tox ID (Tox is an encrypted messaging system used by malicious actors) to
contact operators.

Conclusion

Industrial Spy innovates in the way it sells its victims’ data. The shop window features 3 sections:

  • Premium section: the data archive is offered at a premium price and can only be downloaded
    once. It is then deleted from their server.
  • General section: if the archive doesn’t find a buyer in the premium section, it is offered at a lower
    price for several buyers. However, it is retained by the group.
  • Free section: the archive is published completely free of charge.

IoCs

urls:
Spyare23ttlty6qav3embclpqym3p32lksanoypvrqm6j5onstsjad[.]onion

Ransom note:
readme.txt

Emails:
Inbox@support24.net
Inbox@supticket.com

Do not hesitate to contact us for more information: contact@glimps.re