Ransomware attacks tend to have a certain unofficial protocol to them; the attacker gives the victim some window in which the attack is kept from the public, allowing them the opportunity to quietly make a payment to resolve the matter as quickly (and with as little trouble) as possible. A new ransomware gang on the scene is skipping that pleasantry, using website defacement to share ransom notes with both the company and the public in the immediate wake of the attack.
It is unclear if this signals a broader trend, but ransomware gangs have been known to change and evolve their tactics over time. “Double extortion” is a recent evolution that has become increasingly common over the last two years, and the use of direct website defacement is essentially a mutation of the “triple extortion” approach that began appearing toward the end of 2021.
New ransomware gang goes directly to public pressure with ransom notes
Industrial Spy is a relatively new threat actor that emerged in April with a dark web marketplace used to directly sell stolen data to the public. The group began as a data extortion outfit, claiming to offer companies the ability to purchase the confidential data of rivals (but most likely simply pressuring the company the data was originally stolen from to pay up to recover it). It has since expanded its operations to become a ransomware gang, however, beginning to attack an assortment of companies in mid-May with what appears to be a variant of the Cuba ransomware that has been in circulation for several years.
The group had initially been operating in the manner of a typical ransomware gang, encrypting device files and delivering ransom notes directly to victims in a non-public way. The website defacement is a new development that appears to have begun with the early June breach of French firm SATT Sud-Est. The website defacement took place in the English version of the company’s main public-facing site, “sattse.com.” The page was altered with a message indicating that 200GB of data had been stolen, and that the ransomware gang was demanding a half a million dollar payment to prevent the public release of it and the avoidance of associated “reputational risks.”
Ransomware gangs typically give victims at least a couple of weeks to pay up before going public in any way, and may then slowly increase the pressure using targeted communications with company executives or business partners. At most, the stolen data is generally dumped without much fanfare to some sort of dark web site; unless there is something particularly newsworthy in it, the general public is often not aware of these developments as they get little to no coverage in mainstream media.
Private ransom notes have typically been part of the psychological approach for the ransomware gang, giving the company the option of avoiding reputational damage (and possibly fines from regulators) by paying quickly to keep the matter quiet. There are almost no prior examples of a ransomware gang being this immediate and public with ransom notes, and website defacement of any sort is also an extremely unusual tactic.
Website defacement is a new approach, but no clear signs of it becoming a ransomware trend
It is unclear if the website defacement by Industrial Spy is the mark of a less experienced group that is new to the game not really understanding the nuances of a ransomware shakedown, or a more savvy gambit in response to changing market conditions.
The former would initially appear to be the safer bet, given that it is relatively rare for organizations to self-host their sites in such a way that this kind of website defacement could be done by breaking into the internal network. Companies generally engage third-party hosting service providers to handle public-facing websites. An attacker might find login credentials for a website while trawling the company network, but all of this involves extra work (and risk) that makes little sense within the framework of a typical ransomware attack.
Ransomware gangs are constantly evolving and changing their techniques, however, sometimes based on information that is not available to the public. Prior to the late 2010s, ransomware attacks were much more scattershot. Savvy threat actors eventually realized that indiscriminately distributing ransomware as if it was spam email netted a lot of tiny fish with no ability to pay, wasting time and resources on their end. Attacks then became more targeted, focused on firms known to have the ability to pay (whether via assets on hand or cyber insurance). This in turn led to more tailored approaches such as spearphishing, with potential points of entry scouted on public sites such as LinkedIn.
Still, ransomware remained almost exclusively about encrypting files (and demanding payments to unlock them) until 2019. The DoppelPaymer ransomware was the first major shift toward ransomware gangs first exfiltrating sensitive files, then encrypting everything and delivering their ransom notes. This led to the development (and popularization) of the “double extortion” approach, in which ransomware gangs threaten to leak sensitive files to the public via dark web portals they maintain. In part this developed out of an increasing awareness by organizations that maintaining regular online and offline backups was essentially an antidote to the traditional ransomware attack.
“Triple extortion” is yet another development that surfaced in late 2021, and one that the website defacement approach ties into. This involves ransomware gangs encrypting and extracting files, but also delivering ransom notes to companies in the target organization’s supply chain or their clients. Some have also incorporated strategic leaks to the media. Industrial Spy’s website defacement approach essentially just opens up the throttle immediately and goes straight to full public notice aimed at customers of the business.
It remains to be seen if website defacement is an approach that can create a net positive for ransomware gangs. Posting ransom notes on company websites means that law enforcement is immediately aware of the situation; not only does this allow for a faster response, but it also precludes the possibility of a company paying off a sanctioned entity in secret or factoring public suppression of the incident into their decision to pay. The surest sign that it is actually working is if copycats appear over the course of 2022.