The Pay2Key ransomware which was recently discovered to being used by an Iranian APT is steadily emerging as a dangerous threat in the ransomware landscape. The ransomware, which made its first appearance in October, is actively leveraging the double extortion technique while targeting organizations.
The Pay2Key ransomware came to light came to light when a large number of organizations reported being attacked by a ransomware. Few of these attacks were carried out by known ransomware strands like REvil and Ryuk, several were linked to the new Pay2Key ransomware. RDP connections were used by the attackers to gain an initial foothold and to propagate across the entire network. The attackers then dropped a customized ransom note, with a relatively low demand of 7-9 bitcoins after completing the infection phase.
Timeline of Terror –
- The first large scale attack was discovered last October where several companies from Israel were breached and had their systems encrypted by Pay2Key ransomware.
- It was later revealed through a follow-up investigation that it was an act of Iranian-back hacking group Fox Kitten which has been active since at least 2017.
- In another attack that transpired in December, data was stolen from Intel-owned Habana Labs, to leak it online later. The data included Windows domain account information, DNS zone information for the domain and a file listing from its Gerrit development code review system.
Use of double extortion tactic –
- During the initial analysis, no dedicated website was found.
- That changed soon after as the attackers launched a website that includes the leaked data of three Israeli organizations, including sensitive data pertaining to domains, servers, and backups.
- The organization ranged from a law firm to a gaming company.
- The attackers were also found to be using Telegram, Darkweb forum, and Twitter to leak stolen information.
Even though Pay2Key is relatively new, its operators are quick at adapting and incorporating new techniques in their attacks. The ransomware is part of a growing trend, where Iranian based ransomware are targeting Israeli organizations.
To read more, please check eScan Blog
