{
	"id": "bee5e909-a34a-4469-949b-37a4abdbab2b",
	"created_at": "2026-04-06T00:06:34.794296Z",
	"updated_at": "2026-04-10T03:21:12.21599Z",
	"deleted_at": null,
	"sha1_hash": "e251343a19ed3b1052013a7edf5419d381ca48f6",
	"title": "Technical Analysis of Industrial Spy Ransomware | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1427408,
	"plain_text": "Technical Analysis of Industrial Spy Ransomware | Zscaler\r\nBy Atinderpal Singh, Brett Stone-Gross\r\nPublished: 2022-08-01 · Archived: 2026-04-05 15:06:32 UTC\r\nIndustrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat\r\ngroup appears to only exfiltrate and ransom data, while in other cases they encrypt, exfiltrate and ransom data.\r\nIndustrial Spy started as a data extortion marketplace where criminals could buy large companies' internal data;\r\nthey promoted this marketplace using README.txt files that were downloaded using malware downloaders\r\ndisguised as cracks and adware. After these initial promotional campaigns, the threat group introduced their own\r\nransomware to create double extortion attacks that combine data theft with file encryption. The threat group\r\nappears to have also seemingly tried Cuba ransomware briefly before developing their own ransomware in May\r\n2022.\r\nKey points\r\nIndustrial Spy is a relatively new group that emerged in April 2022 that started by ransoming stolen data\r\nand more recently has combined these attacks with ransomware.\r\nThe threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a\r\nvictim’s files.\r\nThe ransomware utilizes a combination of RSA and 3DES to encrypt files.\r\nIndustrial Spy lacks many common features present in modern ransomware families like anti-analysis and\r\nobfuscation.\r\nThe threat group is consistently adding roughly two to three victims per month on their data leak portal.\r\nIndustrial Spy Market Promoter\r\nThere are two primary executables associated with Industrial Spy. The first binary does not implement any\r\ndestructive functionality, while the second performs file encryption. The former has been mainly distributed using\r\ncracks, adware and other malware loaders. Zscaler ThreatLabz has observed this binary being distributed in-the-wild with other loaders and stealers involving SmokeLoader, GuLoader and Redline Stealer. The sole purpose of\r\nthis malware is to promote their dark web marketplace; it does not inflict any actual damage to the targeted\r\nsystem.\r\nTechnical Details\r\nThis malware is very basic and performs the following actions before deleting itself:\r\nDisplay a text-based note promoting the Industrial Spy data leak site (as shown in Figure 1). \r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 1 of 10\n\nFigure 1: Industrial Spy data leak marketplace promotion note\r\nEnumerate paths under the registry key SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList and\r\ndrop the file readme.txt recursively under all paths with the same note content.\r\nChange the wallpaper (shown in Figure 2) to advertise the Industrial Spy data leak marketplace. \r\nFigure 2: Desktop wallpaper set by the Industrial Spy marketplace promotion binary\r\nThe Industrial Spy threat group introduced their own ransomware in May 2022. The Industrial Spy ransomware\r\nfamily is relatively basic and parts of the code appear to be in development. Industrial Spy utilizes very few\r\nobfuscation methods other than building strings on the stack at runtime. The ransomware also lacks many of the\r\nfeatures commonly seen in modern ransomware families (such as anti-debug, anti-sandbox, etc.), although this\r\nmay change in the future.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 2 of 10\n\nCurrently, there are not many Industrial Spy ransomware samples that have been observed in-the-wild. However,\r\nthe group is consistently adding roughly two new victims per month on their data leak portal. \r\nTechnical Details\r\nThe Industrial Spy ransomware encryption and decryption both are handled by the same binary. Simplified steps\r\ntaken by the ransomware are as follows:\r\nParse command-line arguments\r\nDelete shadow copies\r\nStart an encryption thread to encrypt all drives or given paths\r\nSelf-delete\r\nDelete Shadow copies\r\nSimilar to other ransomware families, Industrial Spy deletes Windows shadow copies to make file recovery more\r\ndifficult as shown in Figure 3.\r\nFigure 3: Industrial Spy pseudocode to delete Windows shadow copies\r\nMode of Operation\r\nOn execution, Industrial Spy checks whether an RSA public or RSA private key is embedded in the binary.\r\nDepending on the type of key, the ransomware will encrypt or decrypt files as shown below:\r\nif ( mw_ptr_key_encryption_public == 0x1F ){\r\n  if ( mw_ptr_key_decryption_private != (char)0xF1 ) {\r\n   // decrypt files\r\n   }\r\n} else {\r\n   // encrypt files\r\n}\r\n \r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 3 of 10\n\nInterestingly, it will always delete shadow copies irrespective of the mode.\r\nIf command-line arguments are provided, Industrial Spy will start a thread to recursively encrypt files for each\r\npath argument that is provided. If no arguments are given, Industrial Spy will enumerate all drives and start one\r\nthread per volume (if it is not read-only). Each thread will recursively enumerate and encrypt files. All files for\r\nwhich the extension and path does not fall under the exclusion list will be encrypted. Paths containing the\r\nfollowing strings are excluded:\r\n\\microsoft\\\r\n\\google\\chrome\r\n\\mozilla\\firefox\r\n\\opera\\\r\nThe following file extensions are also excluded:\r\n. .mst .inf1 .shs .dll .scr .cmd .ps1 .jse\r\n.bat .paf .ins .u3p .exe .sct .com .reg .vbscript\r\n.bin .pif .inx .vb .gadget .shb .cpl .rgs .msi\r\n.job .vbs .isu .vbe .lnk .ws .msc .wsf .wsh\r\nDuring encryption, if the targeted file is locked by another process, Industrial Spy will attempt to terminate the\r\nprocess that holds the corresponding file handle, using the Restart Manager API.\r\nFile Encryption\r\nIndustrial Spy encrypts each file’s content with the Triple DES (3DES) algorithm. Each 3DES key and\r\ninitialization vector (IV) are then encrypted with a hardcoded RSA public key. The result is appended with a footer\r\nto the encrypted file data. Industrial Spy will encrypt up to the first 100MB of data. Since 3DES is a block cipher,\r\neach block is padded accordingly with NULL (0x00) bytes to form a multiple of 24 bytes.\r\nAfter encryption, the original file content is overwritten with the following data shown in Figure 4.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 4 of 10\n\nFigure 4: Industrial Spy encrypted file structure\r\nThe encrypted file data structure is as follows:\r\nstruct encrypted_file {\r\n    byte 3des_encrypted_file_content[encrypted_size];\r\n    byte rsa_encrypted_key_blob[128];\r\n    qword original_file_size;\r\n    dword end_of_encrypted_file_marker;  // 0xFEEDBEEF\r\n};\r\nThe encryption parameters data structure is the following:\r\nstruct rsa_encrypted_key_blob {\r\n    word block_type; // 0x200 (used to validate RSA decryption result)\r\n    byte  random_bytes[77];  // random byte padding\r\n    byte null; // 0x00\r\n    byte  3des_key[24];  // used for file data encryption\r\n    byte  iv[24];   // only the first 8 bytes are used\r\n};\r\nUnlike nearly all ransomware families, Industrial Spy does not change the file extension after encryption.\r\nTherefore, the filename itself cannot be used to determine the files that have been encrypted. Instead, Industrial\r\nSpy appends a file footer that can be used to identify encrypted files using the last four bytes: 0xFEEDBEEF.\r\nRSA Key\r\nThe RSA code used by Industrial Spy is very similar to the ISFB trojan’s source code. This RSA library was also\r\nused by the ransomware known as WastedLocker. Each Industrial Spy ransomware sample contains a hardcoded\r\n1,024-bit RSA key that is unique to each victim in the following format:\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 5 of 10\n\nFigure 5: Embedded Industrial Spy RSA public key\r\nThe first dword (4-bytes) in blue is the size of the RSA key in bits (0x400), which is 1,024 bits. The RSA key size\r\nis then followed by the modulus highlighted above in turquoise. The modulus contains a number of NULL bytes\r\nfor padding, finally followed by the RSA public exponent (in orange) along with additional padding.\r\nKey Generation\r\nIndustrial Spy generates a per file 3DES key and IV using the RSA library’s random function R_GenerateBytes().\r\nThis function takes a random structure as an argument to generate these values. The random structure itself is\r\nseeded by calling the x86/x64 CPU instruction rdtsc, which returns the processor’s timestamp. The CPU processor\r\ntimestamp records the number of CPU clock cycles since the last reset. The result of rdtsc is passed to the RSA\r\nrandom function R_RandomUpdate().\r\nThe R_GenerateBytes() function is called twice to generate two 24-byte pseudorandom buffers. The first buffer is\r\nused as a 3DES key for encrypting the file’s data, and the first 8 bytes from the second buffer are used as the IV.\r\nA Python-based proof-of-concept Industrial Spy ransomware decryptor can be found in the Zscaler ThreatLabz\r\nGitHub tools repository.\r\nRansom Note\r\nA file with the name readme.html is dropped in each directory that contains a ransom note as shown in Figure 6.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 6 of 10\n\nFigure 6: Example Industry Spy ransom note\r\nA copy of the Industrial Spy ransom note can be found in the ThreatLabz GitHub ransom note repository here.\r\nVictim ID\r\nThe Victim ID referred to as the personal id in the ransom note is just the MD5 hash of the modulus component of\r\nthe embedded RSA public key.\r\nDark Web Market \r\nThe Industrial Spy leak portal is protected with a username and password as shown below in Figure 7.\r\nFigure 7: Industrial Spy market login page\r\nAfter authentication, the Industrial Spy home page is displayed as shown in Figure 8.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 7 of 10\n\nFigure 8: Industrial Spy market home page\r\nThe first victim on the leak site was listed on 03/15/2022. The total victim count as of 25 July 2022 was 37, and\r\nare broken down into the following categories:\r\n24 Free\r\n13 General\r\n0 Premium\r\nIndustrial Spy is mostly selling individual files (in the General category) instead of file bundles in the price range\r\nfrom $1 to tens of thousands of dollars. The group likely reviews the files before deciding whether to put a high\r\nprice tag on sensitive files, and dumps the rest of the files with a $1 to $2 price tag. ThreatLabz has observed\r\noperating system files that have limited value like desktop.ini, thumbs.db listed for $2 as shown in Figure 9.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 8 of 10\n\nFigure 9: Operating system files (e.g., desktop.ini) listed by Industrial Spy for $2\r\nConclusion\r\nIndustrial Spy is a new entrant in the ransomware ecosystem. The malware is not currently very sophisticated, but\r\nthe file encryption is functional making it a dangerous threat. Furthermore, Industrial Spy is consistently adding\r\nnew victims, proving that the threat group has the capabilities to breach new organizations. Many players come\r\nand go in the ransomware market and it is difficult to determine the groups that will stay for the long term.\r\nHowever, this threat group is likely to stay at least in the near future with more ransomware updates and features\r\nto follow. ThreatLabz continues to monitor all kinds of threats and provide coverage to our customers.\r\nCloud Sandbox Detection\r\nFigure 10: Zscaler Cloud Sandbox Report\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 9 of 10\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the\r\ncampaign at various levels with the following threat names:\r\nWin32.Ransom.IndustrialSpy\r\nIndicators of Compromise (IOCs)\r\nSHA256 Description\r\n8a5c7fff7a7a52dca5b48afc77810142b003b9dae1c0d6b522984319d44d135a\r\nIndustrial Spy ransomware\r\n(debug build)\r\ndfd6fa5eea999907c49f6be122fd9a078412eeb84f1696418903f2b369bec4e0 Industrial Spy ransomware\r\n5ed4ffbd9a1a1acd44f4859c39a49639babe515434ca34bec603598b50211bab\r\nIndustrial Spy market\r\npromoter trojan\r\n62051ec55c990d2ff21f36a90115986e4ac0eada18306f39687e209f49f2c6ec\r\nIndustrial Spy market\r\npromoter trojan\r\n911153af684ef3460bdf568d18a4356b84efdb638e3e581609eb5cd5223f0010\r\nIndustrial Spy market\r\npromoter trojan\r\n85ea71c910ebb00ba8cae266bf18400a15b08bd341e37e12083ab9a79ff6c943     \r\nIndustrial Spy market\r\npromoter trojan\r\nc96b098cab47c0a33d0b6d8f14b24e7c9ba897b0c59a2ac1f3dc608ca7a2ed7e\r\nIndustrial Spy market\r\npromoter trojan\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware"
	],
	"report_names": [
		"technical-analysis-industrial-spy-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433994,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e251343a19ed3b1052013a7edf5419d381ca48f6.pdf",
		"text": "https://archive.orkl.eu/e251343a19ed3b1052013a7edf5419d381ca48f6.txt",
		"img": "https://archive.orkl.eu/e251343a19ed3b1052013a7edf5419d381ca48f6.jpg"
	}
}