A ransomware group is pushing extortion to new heights by hacking corporate websites and displaying ransom messages publicly.
Industrial Spy, a data extortion organization that just begun utilizing ransomware as part of their attacks, is using this new extortion method.
Industrial Spy will access networks, steal data, and infect devices with ransomware as part of their attacks. If a ransom is not paid, the threat actors threaten to sell the stolen material on their Tor marketplace.
As part of data extortion, websites are being defaced.
Industrial Spy started selling data acquired from a French company called SATT Sud-Est for $500,000 today.
The threat actors also hacked the company’s website, displaying a message warning that 200 GB had been taken and would soon be available for sale if the victim did not pay a ransom, as security researcher MalwareHunterTeam first spotted.
When ransomware gangs extort money from a victim, they normally give them a limited amount of time, usually a few weeks, to negotiate and pay a ransom before disclosing data.
The threat actors pledge to keep the attack hidden, supply a decryption key, and destroy all data if a ransom is paid throughout this negotiation phase.
Threat actors will utilize a variety of techniques to escalate pressure beyond this period, including DDoS attacks on corporate websites, emailing customers and business partners, and making threats to executives.
All of these measures are carried out in secret or with minimum public exposure on their data leak sites, which are often only frequented by cybersecurity experts and the media.
However, this is the first time we’ve seen a ransomware gang deface a website to publish a ransom notice in such a visible manner.
While this strategy is unusual, it allows the ransomware gang to put even more pressure on a victim by bringing the attack into the open, where customers and business partners may see it.
However, it is unlikely that this new strategy will be widely adopted because web servers are often hosted by hosting companies rather than on corporate networks.
When stealing data from internal networks, threat actors would need to locate a website vulnerability or acquire access to credentials.
