Pay2Key Ransomware’s Mayhem Continues

Introduction

• Pay2Key ransomware came to the limelight when an exceptional number of Israeli companies reported ransomware attacks.
• While few of the attacks were carried out by known ransomware strands like REvil and Ryuk, several were linked to the new Pay2Key ransomware.
• The attackers used RDP connections to gain an initial foothold and to propagate across the entire network. 
• After completing the infection phase, the attackers dropped a customized ransom note, with a relatively low demand of 7-9 bitcoins.

The attack timeline (so far)

• The first widespread attack was seen in late October, where several companies from Israel were breached and had their systems encrypted by Pay2Key ransomware.
• A follow-up investigation revealed that it was an act of Iranian-back hacking group Fox Kitten which has been active since at least 2017.
• Later, in the first half of December, another attack was launched against Intel-owned Habana Labs, where attackers leaked data allegedly stolen from the firm. The data included Windows domain account information, DNS zone information for the domain, and a file listing from its Gerrit development code review system.

Messing around through double extortion

• At the time of initial analysis, no website appeared to be in place.
• However, that soon changed, and the attackers started a website that includes the leaked data of three Israeli organizations, including sensitive data pertaining to domains, servers, and backups.
• The organization ranged from a law firm to a gaming company.
• Apart from the website, the operators were found using Telegram, Darkweb forum, and Twitter to leak stolen information.

Conclusion