Ransomware Gang Evolves Double Extortion Tactic

Towards the end of 2019 ransomware gangs began to apply a new tactic to further place pressure on corporate victims to pay the ransom. The tactic became known as double extortion due to ransomware operators threatening, and in many cases releasing, sensitive data stolen before files across the IT infrastructure of the victim are encrypted.

In the past, we have seen call centers being used by ransomware gangs to place increased pressure on victims by calling employees and demanding payment as an evolution of the tactic.

ransom demanding evolution

Now the tactic has evolved further to include ransom gangs hacking corporate websites of victims to display ransom notes when suffering a ransomware incident.

For the moment it only appears that the cybercriminal gang Industrial Spy to using this tactic, and in all likelihood also the tactic’s originators. The gang originally started as a data extortion outfit but moved to deploy ransomware on victim’s networks, likely seeing how the two once separate cyber crimes have merged over the last few years.

Now, according to a report by Bleeping Computer, the gang has begun hacking websites. In one instance, the threat actors hacked the company's website to display a message warning that 200GB had been stolen and would soon be up for sale if the victim did not pay a ransom. At the time of writing this appears to be the only example of the tactics new evolution.

The victim, a French company named SATT Sud-Est, would have visitors to their website redirected to show the ransom note rather than the website.

This is not just a financial nightmare but a public relations one too. Shortly after this was discovered it was also discovered that the gang would be selling the information stolen, believed to be 200GB for 500,000 USD.

As to whether this tactic will see widespread adoption is up for debate, but it is unlikely as many websites are hosted by a third-party hosting solution rather than on the corporate IT infrastructure itself.

Industrial Spy

While it can be argued whether Industrial Spy’s new evolution of the double extortion tactic will be as groundbreaking as the double extortion tactic, the gang has made a name for itself in a relatively short time frame.

The group first made headlines in April 2022 when security researchers discovered the gang marketing itself as a marketplace where businesses can purchase their competitors' data to gain access to trade secrets, manufacturing diagrams, accounting reports, and client databases.

At the time of the marketplace’s discovery, some researchers believed that the marketplace itself can be used as a tool to place more pressure on victims when extorting them once data had been stolen.

At the time of the Industrial Spy marketplace discovery, the marketplace itself offered customers a variety of packages with what they termed “premium” data selling for millions of dollars.

Other data believed to be not as “premium” could be sold for as little as a few dollars. As advertised on their platform they were selling an Indian company’s data for 1.4 million USD.

What was perhaps more interesting than the marketplace was how the marketplace was promoted. Underground marketplaces selling data are hardly a new phenomenon but Industrial Spy chose to promote the marketplace.

Security researchers discovered several malware executables containing a file named README.txt. The file itself contained text promoting Industrial SPy’s marketplace, stating,

“There you can buy or download for free private and compromising data of your competitors. We public schemes, drawings, technologies, political and military secrets, accounting reports, and clients databases…All these things were gathered from the largest worldwide companies, conglomerates, and concerns with every activity. We gather data using a vulnerability in their IT infrastructure.”

The text file would also contain a link to the marketplaces TOR website. Bleeping Computer continued to dig a little further and discovered the following,

“Upon further investigation by BleepingComputer, we discovered that these executables are being distributed through other malware downloaders commonly disguised as cracks and adware…For example, the STOP ransomware and password-stealing Trojans, commonly distributed through cracks, are installed along with the Industrial Spy executables…Furthermore, VirusTotal shows that the README.txt files are found in numerous collections of password-stealing trojan logs, indicating that both programs were run on the same device.”

Bleeping Computer believes that the operators of the Industrial Spy website likely partner with adware and crack distributors to distribute the program that promotes the marketplace.

However, a bigger bombshell would drop the following month when MalwareHunterTeam discovered a malware executable containing a text file that was not promotional. Rather the text file appeared to be a ransom note, similar to those found in ransomware attacks. It read,

“Unfortunately we have to report you that your company was compromised. All your files were encrypted and you can't restore them without our private key. Trying to restore it without our help may cause complete loss of your data…Also we researched whole your corporate network and downloaded all your sensitive data to our servers. If we will not get any contact from you in 3 next days we will publish your data on the site 'Industrial Spy Market'.”

In May it appeared that the gang was pivoting toward ransomware, now in June it seems that pivot is complete. Industrial Spy is a threat that needs to be monitored.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal