Today, we will talk about a ransomware that does not follow in the footsteps of its siminals which is to change the name of the recorded files, Industrial Spy Market does not change the names of the files. After the encryption process is complete, this ransomware leaves a ransom-demand message titled “readme.html” on the desktop.
The ransomware family is relatively simple and parts of the code still appear to be under development. “Industrial Spy” uses very few obfuscation methods other than “building strings on the stack at runtime”. The ransomware also lacked many of the features common to modern ransomware families (eg “anti-debug”, “anti-sandbox”, etc.), although this may change in the future.
Currently, not many “Industrial Spy” ransomware samples have been observed “in the wild.” However, the group adds two new organizations that are victims of its attacks every month. The first victim at the leak site occurred on March 15, 2022; the total number of victims in the portal was 37 on July 25, 2022, so if we should keep an eye on how this will evolve.
This ransomware as well as other malicious programs are distributed using phishing and social engineering techniques. Malicious software is usually presented as a bundle (bundled) with ordinary programs/media. Infectious files can be in various formats, for example, PDF and Microsoft Office documents, archives (ZIP, RAR, etc.), executables (.exe, .run, etc.), JavaScript, etc. When such a file is opened, the chain of infection is triggered.
The most common distribution methods include: drive-by downloads (stealth and deceptive), malicious attachments and links in emails and spam messages, unreliable download media (e.g. unofficial and free file-hosting sites, Peer-to-Peer sharing networks, etc.), illegal software activation tools (“cracks”) and fake updates so it is important not to trust sites like the ones mentioned above.
