Ransomware attacks tend to have a certain unofficial protocol to them; the attacker gives the victim some window in which the attack is kept from the public, allowing them the opportunity to quietly make a payment to resolve the matter as quickly (and with as little trouble) as possible. A new ransomware gang on the scene is skipping that pleasantry, using website defacement to share ransom notes with both the company and the public in the immediate wake of the attack. It is unclear if this signals a broader trend, but ransomware gangs have been known to change and evolve their tactics over time. “Double extortion” is a recent evolution that has become increasingly common over the last two years, and the use of direct website defacement is essentially a mutation of the “triple extortion” approach that began appearing toward the end of 2021.
New ransomware gang goes directly to public pressure with ransom notes
Industrial Spy is a relatively new threat actor that emerged in April with a dark web marketplace used to directly sell stolen data to the public. The group began as a data extortion outfit, claiming to offer companies the ability to purchase the confidential data of rivals (but most likely simply pressuring the company the data was originally stolen from to pay up to recover it). It has since expanded its operations to become a ransomware gang, however, beginning to attack an assortment of companies in mid-May with what appears to be a variant of the Cuba ransomware that has been in circulation for several years.
The group had initially been operating in the manner of a typical ransomware gang, encrypting device files and delivering ransom notes directly to victims in a non-public way. The website defacement is a new development that appears to have begun with the early June breach of French firm SATT Sud-Est. The website defacement took place in the English version of the company’s main public-facing site, “sattse.com.” The page was altered with a message indicating that 200GB of data had been stolen, and that the ransomware gang was demanding a half a million dollar payment to prevent the public release of it and the avoidance of associated “reputational risks.”
Ransomware gangs typically give victims at least a couple of weeks to pay up before going public in any way, and may then slowly increase the pressure using targeted communications with company executives or business partners. At most, the stolen data is generally dumped without much fanfare to some sort of dark web site; unless there is something particularly newsworthy in it, the general public is often not aware of these developments as they get little to no coverage in mainstream media.
Private ransom notes have typically been part of the psychological approach for the ransomware gang, giving the company the option of avoiding reputational damage (and possibly fines from regulators) by paying quickly to keep the matter quiet. There are almost no prior examples of a ransomware gang being this immediate and public with ransom notes, and website defacement of any sort is also an extremely unusual tactic.
Website defacement is a new approach, but no clear signs of it becoming a ransomware trend
It is unclear if the website defacement by Industrial Spy is the mark of a less experienced group that is new to the game not really understanding the nuances of a ransomware shakedown, or a more savvy gambit in response to changing market conditions.
The former would initially appear to be the safer bet, given that it is relatively rare for organizations to self-host their sites in such a way that this kind of website defacement could be done by breaking into the internal network. Companies generally engage third-party hosting service providers to handle public-facing websites. An attacker might find login credentials for a website while trawling the company network, but all of this involves extra work (and risk) that makes little sense within the framework of a typical ransomware attack.
Ransomware gangs are constantly evolving and changing their techniques, however, sometimes based on information that is not available to the public. Prior to the late 2010s, ransomware attacks were much more scattershot. Savvy threat actors eventually realized that indiscriminately distributing ransomware as if it was spam email netted a lot of tiny fish with no ability to pay, wasting time and resources on their end. Attacks then became more targeted, focused on firms known to have the ability to pay (whether via assets on hand or cyber insurance). This in turn led to more tailored approaches such as spearphishing, with potential points of entry scouted on public sites such as LinkedIn.
