Fraud Management & Cybercrime , Ransomware

Pay2Key Ransomware Hits Israeli Targets

Check Point Researchers Uncovered New Malware Strain
Pay2Key Ransomware Hits Israeli Targets
Pay2Key ransom note (Source: Check Point Research)

Security analysts at Check Point Research are warning about a recently uncovered ransomware strain called Pay2Key that primarily has targeted Israeli firms since late October.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

The ransom demands so far have been seven to nine bitcoins, or about $140,000 at most, according to the Check Point report. That's lower than the average ransom payment of about $230,000 that security firm Coveware reported during its analysis of attacks in the third quarter (see: Data-Exfiltrating Ransomware Gangs Pedal False Promises).

The Check Point researchers also note that while the operators behind Pay2Key appear to maintain a presence within a targeted network for several months, the ransomware can encrypt files and conduct an attack within an hour.

"Analyzing Pay2Key ransomware operation, we were unable to correlate it to any other existing ransomware strain, and it appears to be developed from scratch," according to the Check Point analysis. Several versions of this crypto-locking malware have already been spotted in the wild, which means that it's likely still under development, the researchers say.

The report also notes that over the last two months, several Israeli businesses and organizations sustained attacks by other ransomware strains, such as Ryuk and ReVIL. But, it adds, “as days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware. The attacker followed the same procedure to gain a foothold, propagate and remotely control the infection within the compromised companies."

Tactics and Techniques

As in many other ransomware attacks, operators of Pay2Key are taking advantage of vulnerable Remote Desktop Protocol connections in Windows devices as part of the initial infection, the researchers say. Once the attackers compromise a network, they map it and take steps to help ensure persistence while avoiding detection by security tools, according to Check Point.

The ransomware is written in the C++ programming language and can use both RSA and AES algorithms to encrypt files during an attack. While the ransom notes associated with these attacks claim that data exfiltrated during an incident will be leaked if the demands are not met, there's no evidence yet that this type of extortion has been conducted, the researchers say.

The report also notes that the Pay2Key ransomware uses Windows' PsExec feature, a command-line tool that lets the user execute processes on remote systems.

Unknown Operators

Check Point reports that the operators behind Pay2Key have not been identified, but they appear to be English speakers.

The operators created a KeyBase account in June before launching any attacks as a way to securely communicate with potential victims after the first series of attacks started.

"The attack was observed targeting the Israeli private sector so far, but looking at the presented tactics, techniques and procedures, we see a potent actor who has no technical reason to limit his targets list to Israel," according to Check Point.

Other Ransomware Attacks

Other security firms have also warned of an uptick in ransomware attacks targeting Israeli firms.

For example, ClearSky recently warned of crypto-locking malware attacks that they attributed to an Iranian hacking group (see: Iranian Hacking Group Suspected of Deploying Ransomware).

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.