New ransomware strain targets Israeli companies
Check Point, an American-Israeli cybersecurity company, reports that numerous Israeli organizations and several large corporations have been targeted in recent weeks by a ransomware operation identified as Pay2Key.
“While some incidents involved known ransomware families such as REvil and Ryuk, several large companies suffered complete intrusions carried out with a previously unrecognized variant named Pay2Key,” the company said.
Check Point analysts collaborated with Whitestream, a blockchain intelligence firm, to trace cryptocurrency wallet addresses left in ransomware notes. Their investigation led to Excoini, a cryptocurrency exchange headquartered in Iran.
Based on their technical analysis, Check Point researchers were unable to link Pay2Key to any existing ransomware family. The team concluded the malware appears to be a newly developed strain rather than a modification of known code.
According to the report, attackers uploaded stolen data from each victim to a dedicated folder on a leak site, accompanied by a bespoke extortion message. These messages often included sensitive details about the victim’s digital assets, such as domain names, server information, and the presence or state of backups.
“The investigation so far suggests the attacker may have gained initial access to victim networks prior to deploying the ransomware, and then demonstrated the capability to rapidly propagate the ransomware across the environment—often reaching many systems within an hour,” Check Point explained.
Researchers also observed that the threat actors used the Pay2Key EOSIO smart contract logo on Keybase when communicating with victims. Analysts cautioned this could either indicate a deliberate branding choice or simply the attackers selecting an image found via a web search.
Extortion demands in Pay2Key incidents typically ranged from seven to nine bitcoin (BTC), an amount that at the time of reporting equated to roughly USD 113,800 to USD 146,300. To date, investigators report at least four victim organizations chose to pay the ransom after their transactions were traced.
The attack chain described by investigators usually begins shortly after midnight, when the attackers establish a connection to a machine within the target network—most commonly through Remote Desktop Protocol (RDP). That compromised host becomes a pivot or proxy point by running a program identified as ConnectPC.exe. After that stage, outgoing communication from ransomware processes in the environment to the actors’ command-and-control (C2) server is routed through this proxy, helping the attackers maintain control while moving laterally and encrypting systems.
Check Point’s findings underline the importance of strong access controls, robust monitoring of RDP and other remote access services, timely patching, and reliable backup strategies to mitigate the risk posed by emerging ransomware families like Pay2Key.