A relatively new ransomware gang called Industrial Spy is taking a reckless approach to shaking down its victims, engaging in website defacement to post ransom notes that the general public can view.
This is a somewhat strange approach for a ransomware gang, as there is generally value in keeping the incident out of the public eye for some time. The move adds a new layer of extortion to the process, as the practice of exfiltrating sensitive files and threatening to dump them to the public has gradually become more common among threat actors over the past two years.
Website defacement an unusual element of ransomware attacks
Website defacement may or may not become a new trend among ransomware gangs; all available evidence indicates it won’t, but ransomware morphs constantly to keep up with evolving defenses and law enforcement pressure.
It would generally require some extra work to place ransom notes on a website, with the ransomware gang working to the detriment of its own purposes if it does so. Industrial Spy appears to be taking advantage of relatively unusual cases in which the organization self-hosts its public-facing site on its own network. Breaking into a company’s public website would usually involve combing the internal network for the login credentials to a third party site, something that creates substantial extra work and risk for the attacker.
It is not unprecedented for ransomware gangs to put more immediate and public pressure on victims, however; this has been something of a trend since late 2021 with criminals being quicker to send ransom notes to supply chain partners, clients and even sometimes to the media. Website defacement is an entirely new wrinkle, however. It precludes any possibility of handling the ransom payment in the background, with the tradeoff of immediately alerting the general public that something is wrong (and generating pressure from customers and clients, not to mention grabbing the immediate attention of regulators).
Whether or not the website defacement approach actually leads to increased ransom payments from victims is still very much up in the air. But if it does, expect ransom notes on the front pages of company sites as copycats try to get in on the next trend.
Will ransomware gangs start leaving ransom notes on websites?
Thus far the website defacement attacks seem to be limited to Industrial Spy, which just appeared on the scene in April and appears to be trying a lot of different approaches as it settles into a criminal groove. The group began exclusively engaging in data extortion through a custom dark web marketplace it launched, but then added ransomware to the mix about a month later. Putting ransom notes on websites first occurred only several weeks after the gang was first observed using ransomware. The group also makes use of a type of ransomware (Cuba) that has been around for years, rather than deploying its own custom variant.
Unless it is a particularly big breach at a big-name company, or something particularly colorful is discovered in the leaked data, the files that ransomware gangs dump to their dark web portals are generally ignored outside of cybersecurity specialist media. The average person with no connection to IT likely has no idea that most of these breaches and dumps have even happened. Website defacement may increase buzz among this group, but it is unclear if the added pressure that generates is worth the immediate attention from law enforcement it will draw.