Multiple organizations in Israel have reported several cyberattacks in which attackers targeted them using a new strain of ransomware named “Pay2Key”. According to CheckPoint research, threat actors illicitly obtained the foothold and remotely controlled the infection within the compromised networks. The Pay2Key ransomware is written in C++ and compiled using MSVC++ 2015. It also makes use of third-party libraries like Boost.
“The investigation so far indicates the attacker may have gained access to the organizations’ networks some time before the attack but presented an ability to make a rapid move of spreading the ransomware within an hour to the entire network. After completing the infection phase, the victims received a customized ransom note, with a relatively low demand of 7-9 bitcoins (~$110K-$140K),” the researchers said.
Key findings:
- Previously unknown ransomware dubbed Pay2Key, carries targeted attacks against Israeli companies
- Initial infection is presumably made through RDP connection
- Lateral movement is made using psexec.exe to execute the ransomware on the different machines within the organization
- Special attention was given to the design of the network communication in order to reduce the noise a large number of encrypted machines may generate while contacting the Command and Control servers
- The encryption scheme is solid – using the AES and RSA algorithms
“While the attack is still under investigation, the recent Pay2Key ransomware attacks indicate a new threat actor is joining the trend of targeted ransomware attacks – presenting well designed operation to maximize damage and minimize exposure. The attack was observed targeting the Israeli private sector so far, but looking at the presented tactics, techniques, and procedures we see a potent actor who has no technical reason to limit his targets list to Israel. The incidents are still under investigation, and we will update this blogpost with new findings if any new findings come to light,” the researchers added.
