Ransomware Appears to Be a New Malware Strain
Check Point, an American-Israeli cybersecurity firm, has identified that a large number of Israeli companies—including several major corporations—reported being hit by a ransomware strain called Pay2Key in recent weeks.
“While some of these incidents were attributed to known ransomware groups such as REvil and Ryuk, several high-profile organizations were targeted by a large-scale attack using a previously unknown ransomware variant called Pay2Key,” the report states.
Check Point researchers worked with blockchain intelligence firm Whitestream to trace wallet addresses left in ransom notes, linking them to Excoini, a cryptocurrency exchange based in Iran.
Based on their analysis of Pay2Key, Check Point’s team was unable to correlate it with any known ransomware family at the time of investigation. The researchers concluded that the malicious platform had likely been built from scratch.
“The leaked data from each victim organization was posted in a dedicated folder on a public website and accompanied by a personalized message from the attackers. These messages included sensitive information about the victims’ digital assets, such as domain details, server information, and backup configurations,” Check Point explained.
“The investigation so far indicates the attacker may have had a presence on the victims’ networks for some time before the attack, but managed to deploy the ransomware rapidly across the entire network in under an hour.”
Researchers also found that the attackers used the same Pay2Key EOSIO smart contract logo on Keybase for communications with victims. They noted, however, that the logo choice could simply be a case of the attackers selecting an image at random from a web search.
The Pay2Key operators typically demanded ransoms between 7 and 9 Bitcoins (BTC). At the time of the report, that equated to roughly $113,800 to $146,300.
So far, four organizations are known to have paid the attackers after tracing their deposits.
The Pay2Key campaign appears to have begun shortly after midnight, when attackers accessed a machine on the targeted network—most likely via RDP. That machine was used as a pivot or proxy inside the network through a program named ConnectPC.exe. From that pivot point, all outbound communications between the network’s ransomware processes and the attackers’ command-and-control server were routed through the proxy.
Translated by Carolane de Palmas