Bitcoin ransomware Pay2Key victimises multiple Israeli companies

The ransomware appears to be a new strain of malicious software

Ransomware alert on a computer screen
Several Israeli companies have fallen victim to the Pay2Key ransomware

Check Point, an American-Israeli cybersecurity firm, found that a large number of Israeli companies and even large corporations reported that they were a victim of ransomware attacks by a ransomware named Pay2Key in the last few weeks.

“While some of the attacks were carried out by known ransomware strands like REvil and Ryuk, several large corporations experienced a full-blown attack with a previously unknown ransomware variant named Pay2Key”, the report explained.

Researchers from Check Point partnered with a blockchain intelligence firm named Whitestream to dive into wallet addresses that were left in ransomware notes to lead them to Excoini, a cryptocurrency exchange that is based in Iran.

The Check Point researchers, based on their analysis of Pay2Key, found that they were unable to correlate it to any other existing strain of ransomware at the time. The team concluded that this malicious platform had to have been made from scratch.

“The leaked data of each victim company was uploaded to a dedicated folder on the website, accompanied by a tailored message from the attackers. In the message they share sensitive information regarding the digital assets of the victim, including details regarding their domain, servers and backups”, Check Point explained.

“The investigation so far indicates that the attacker may have gained access to the organisations’ networks sometime before the attack, but presented an ability to make a rapid move of spreading the ransomware within an hour to the entire network.”

The researchers also found that the hackers used the same logo of the Pay2Key EOSIO smart contract system on Keybase to conduct their conversations with their victims. However, they also suggested that this could have been a result of the attackers randomly choosing a logo image from Google images.

The people behind the Pay2Key ransomware usually demanded ransoms that range from anywhere between seven to nine bitcoin (BTC) from their victims. At the time of writing, this amounts to roughly USD113,800 to USD146,300.

So far, four companies have made the decision to pay the hackers after their deposits were traced.

The Pay2Key scheme appears to begin a little after midnight when the attackers would connect to a machine on the targeted network— most likely through the RDP. The machine is defined as a pivot or proxy point within the network, with the use of a program named ConnectPC.exe. From this point forward, all outgoing communication between all ransomware processes based in the network and the attackers C&C server will go through this proxy.