Pay2Key Ransomware Hits Israeli TargetsCheck Point Researchers Uncovered New Malware Strain
Security analysts at Check Point Research are warning about a recently uncovered ransomware strain called Pay2Key that primarily has targeted Israeli firms since late October.
The ransom demands so far have been seven to nine bitcoins, or about $140,000 at most, according to the Check Point report. That's lower than the average ransom payment of about $230,000 that security firm Coveware reported during its analysis of attacks in the third quarter (see: Data-Exfiltrating Ransomware Gangs Pedal False Promises).
The Check Point researchers also note that while the operators behind Pay2Key appear to maintain a presence within a targeted network for several months, the ransomware can encrypt files and conduct an attack within an hour.
"Analyzing Pay2Key ransomware operation, we were unable to correlate it to any other existing ransomware strain, and it appears to be developed from scratch," according to the Check Point analysis. Several versions of this crypto-locking malware have already been spotted in the wild, which means that it's likely still under development, the researchers say.
The report also notes that over the last two months, several Israeli businesses and organizations sustained attacks by other ransomware strains, such as Ryuk and ReVIL. But, it adds, “as days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware. The attacker followed the same procedure to gain a foothold, propagate and remotely control the infection within the compromised companies."
Tactics and Techniques
As in many other ransomware attacks, operators of Pay2Key are taking advantage of vulnerable Remote Desktop Protocol connections in Windows devices as part of the initial infection, the researchers say. Once the attackers compromise a network, they map it and take steps to help ensure persistence while avoiding detection by security tools, according to Check Point.
The ransomware is written in the C++ programming language and can use both RSA and AES algorithms to encrypt files during an attack. While the ransom notes associated with these attacks claim that data exfiltrated during an incident will be leaked if the demands are not met, there's no evidence yet that this type of extortion has been conducted, the researchers say.
The report also notes that the Pay2Key ransomware uses Windows' PsExec feature, a command-line tool that lets the user execute processes on remote systems.
Check Point reports that the operators behind Pay2Key have not been identified, but they appear to be English speakers.
The operators created a KeyBase account in June before launching any attacks as a way to securely communicate with potential victims after the first series of attacks started.
"The attack was observed targeting the Israeli private sector so far, but looking at the presented tactics, techniques and procedures, we see a potent actor who has no technical reason to limit his targets list to Israel," according to Check Point.
Other Ransomware Attacks
Other security firms have also warned of an uptick in ransomware attacks targeting Israeli firms.
For example, ClearSky recently warned of crypto-locking malware attacks that they attributed to an Iranian hacking group (see: Iranian Hacking Group Suspected of Deploying Ransomware).