Security researchers recently detected a surge in attacks against Israeli companies. Some of the intrusions were carried out by well-known ransomware strains ReVil and Ryuk. However, a new ransomware was also spotted, the previously unknown Pay2Key.
Previously Unknown Pay2Key Ransomware
According to TrendMicro’s investigation, Pay2Key’s operator most likely gained access to the organizations’ networks prior to the attacks. However, the cybercriminals didn’t need much time to spread the ransomware across the entire network – about an hour. “After completing the infection phase, the victims received a customized ransom note, with a relatively low demand of 7-9 bitcoins (~$110K-$140K),” TrendMicro says.
It is noteworthy that it’s too early to say the scope of this new ransomware strain. However, the researchers’ investigation has revealed some essential details that may help mitigate the ongoing attacks. Some of the report’s key findings are that Pay2Key most likely infects via RDP and that it uses psexec.exe to execute it on different machines within the enterprise.
“Special attention was given to the design of the network communication, in order to reduce the noise a large number of encrypted machines may generate while contacting the Command and Control servers,” TrendMicro explains. The encryption is also “solid”, a combination of AES and RSA algorithms.
The researchers believe that this strain may be developed to target specifically Israeli companies. Here’s a timeline of the attacks so far:
2020-06-28 – The attacker created a KeyBase account by the name of “pay2key”
2020-10-26 – First ransomware sample compilation date
2020-10-27 – Second ransomware sample compilation date
2020-10-27 – First Pay2Key sample uploaded to VT and compiled on the same day – may indicate its first appearance in the wild.
2020-10-28 – Second ransomware sample uploaded to VT – Indicating a possible attacked organization.
2020-11-01 – Third sample compilation date
2020-11-01 – The first reported attack (Sunday; working day in Israel)
2020-11-02 – The second reported attack
An Entirely New Ransomware
The analysis performed so far shows that there isn’t any correlation between Pay2Key and other existing strains of ransomware. This means that the threat has been developed from scratch, as TrendMicro puts it.
Another proof for this statement is that only one of the VirusTotal engines detected the uploaded samples as malicious. This is remarkable, as the ransomware doesn’t utilize a packer or any other protection to conceal its internal functionality. Compilation artifacts show that Pay2Key is internally named Cobalt, but this name shouldn’t be confused with Cobalt Strike.
The researchers are still unsure of the origin of its creators. However, due to some inconsistent English wording, they suspect that the cybercriminals are not native English speakers.
The ransom demand comes in the form of a ransom note dropped into the system. The message itself is customized according to the target and is dubbed [ORGANIZATION]_MESSAGE.TXT. The ransom amount varies between 7 and 9 Bitcoins. However, it may change with future attacks.