Industrial Spy

Industrial Spy is a ransomware and data-extortion malware/family associated with the Industrial Spy operation, first observed in the wild in May 2022. Reporting in the provided content describes the broader operation as emerging in early 2022 as a marketplace selling stolen corporate data, then adding its own ransomware to support double-extortion attacks combining data theft with file encryption; it also sometimes conducted extortion based on exfiltration without encryption. The malware has been linked in the content to RomCom / Storm-0978 financially motivated operations, and multiple sources state that after earlier use of Cuba ransomware, the actor shifted to Industrial Spy and later to Underground/Team Underground, with Microsoft noting significant code overlap between Underground and Industrial Spy and suggesting possible rebranding.

Technically, Industrial Spy is described as a relatively basic Windows ransomware with limited obfuscation and without many common modern anti-analysis features. It parses command-line arguments, deletes Windows shadow copies, starts encryption threads, and self-deletes. If arguments are supplied it recursively encrypts the specified paths; otherwise it enumerates non-read-only volumes and encrypts files recursively. It excludes certain paths including strings such as \microsoft\, \google\chrome, \mozilla\firefox, and \opera\, and excludes many extensions including .dll, .exe, .msi, .lnk, .bat, and .ps1. If a file is locked, it attempts to terminate the locking process via the Windows Restart Manager API.

Encryption behavior described in the content includes use of Triple DES (3DES) for file data, with per-file keys and IV material protected using a hardcoded embedded 1,024-bit RSA public key reportedly unique per victim. It encrypts up to the first 100 MB of each file, does not append a new extension, and instead marks encrypted files with a 0xFEEDBEEF footer. It drops a ransom note named readme.html in each directory containing encrypted files. The ransom note’s victim identifier is described as the MD5 hash of the modulus of the embedded RSA public key. The malware also checks for the presence of an embedded RSA public or private key to determine encryption versus decryption mode.

Separate from the encryptor, the operation also used a non-destructive promoter/market binary distributed via malware downloaders disguised as software cracks and adware. That component recursively dropped README/readme.txt files under user profile paths and changed the desktop wallpaper to advertise the Industrial Spy leak marketplace, then deleted itself. Zscaler observed this promoter distributed alongside SmokeLoader, GuLoader, and Redline Stealer.

Victimology in the provided content includes organizations whose stolen data was sold through the Industrial Spy leak portal, and use by RomCom / Storm-0978 in financially motivated attacks affecting sectors including telecommunications and finance. Related reporting also ties the broader actor ecosystem to targeting government, defense, and NATO-related entities, though those campaigns are primarily described in connection with RomCom rather than Industrial Spy itself.

High-confidence indicators and identifiers directly mentioned in the content include the ransom note name readme.html, the encrypted-file footer marker 0xFEEDBEEF, Zscaler detection name Win32.Ransom.IndustrialSpy, and sample SHA-256 hashes including 8a5c7fff7a7a52dca5b48afc77810142b003b9dae1c0d6b522984319d44d135a and 5ed4ffbd9a1a1acd44f4859c39a49639babe515434ca34bec603598b50211bab.