The recently discovered Pay2Key ransomware is slowly emerging as a dangerous threat in the ransomware landscape. The ransomware, which made its first appearance in October, is actively targeting organizations leveraging the double extortion technique. 


  • Pay2Key ransomware came to the limelight when an exceptional number of Israeli companies reported ransomware attacks.
  • While few of the attacks were carried out by known ransomware strands like REvil and Ryuk, several were linked to the new Pay2Key ransomware.
  • The attackers used RDP connections to gain an initial foothold and to propagate across the entire network. 
  • After completing the infection phase, the attackers dropped a customized ransom note, with a relatively low demand of 7-9 bitcoins.

The attack timeline (so far)

  • The first widespread attack was seen in late October, where several companies from Israel were breached and had their systems encrypted by Pay2Key ransomware.
  • A follow-up investigation revealed that it was an act of Iranian-back hacking group Fox Kitten which has been active since at least 2017.
  • Later, in the first half of December, another attack was launched against Intel-owned Habana Labs, where attackers leaked data allegedly stolen from the firm. The data included Windows domain account information, DNS zone information for the domain, and a file listing from its Gerrit development code review system.

Messing around through double extortion

  • At the time of initial analysis, no website appeared to be in place.
  • However, that soon changed, and the attackers started a website that includes the leaked data of three Israeli organizations, including sensitive data pertaining to domains, servers, and backups.
  • The organization ranged from a law firm to a gaming company.
  • Apart from the website, the operators were found using Telegram, Darkweb forum, and Twitter to leak stolen information.


Though new, Pay2Key’s operators are quick at adapting and incorporating new techniques in their attacks. The ransomware is only the latest wave in a series of Iranian based targeted ransomware attacks deployed against Israeli organizations and this appears to be a growing trend.

Cyware Publisher