The strange link between Industrial Spy and the Cuba ransomware operation

The recently launched Industrial Spy data extortion marketplace has now started its ransomware operation.

In April, Malware HunterTeam and Bleeping Computer reported the launch of a new dark web marketplace called Industrial Spy that sells stolen data and offers free stolen data to its members. MalwareHunterTeam researchers spotted malware samples [1, 2] that drop the following wallpaper that promotes the site.

Upon executing the malware it creates README.txt files in every folder on the machine, the content of the files includes a description of the service and a link to the Tor site.

Below is the description for the marketplace:

“There you can buy or download for free private and compromising data of your competitors. We public schemes, drawings, technologies, political and military secrets, accounting reports and clients databases. All this things were gathered from the largest worldwide companies, conglomerates and concerns with every activity. We gather data using vunlerability in their IT infrastructure. in their IT infrastructure. Industrial spy team processes huge massives every day to devide you results. You can fid it in their portal:

Industrial Spy is a marketplace that offers businesses data on their competitors, including intellectual property and trade secrets.

The marketplace has different levels of data offerings, from $2 for individual files up to “premium” stolen data related which represents all data stolen from an organization and that could be proposed for million of dollars.

Some data dumps are available on Industrial Spy for free, they were likely downloaded from the leak sites of ransomware gangs or other hacking forums.

Now BleepingComputer reported that the Industrial Spy data marketplace launched its own ransomware operation.

Recently MalwareHunterTeam researchers discovered a new sample of the Industrial Spy malware, which appeared like a ransom note.

Additional investigation in the ransom note suggested the link with another ransomware operation.

The TOX ID and email address reported in the ransom note were the same as a ransom note created by another sample of malware uploaded to VirusTotal that links to Cuba Ransomware.

“While this does not 100% tie the two groups together, it’s very possible that the Industrial Spy threat actors simply used Cuba’s information while testing the creation of their ransomware.” states BleepingComputer.

However, it is peculiar and something that security researchers and analysts will need to keep an eye on.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]