New Pay2Key ransomware encrypts corporate networks in just an hour

New ransomware Pay2Key

A number of companies and large corporations in Israel have been targeted by cyberattacks using a new ransomware called Pay2Key.

The first attacks were recorded by specialists from Check Point at the end of October this year, and now their number has increased.

Over the past week, an exceptional number of Israeli companies reported ransomware attacks. While some of the attacks were carried out by known ransomware strands like REvil and Ryuk, several large corporations experienced a full blown attack with a previously unknown ransomware variant names Pay2Key.said Check Point experts.

According to experts, criminals usually carry out attacks after midnight, when companies have fewer IT workers. The Pay2Key malware allegedly infiltrates the network of organizations through a weakly secured RDP (Remote Desktop Protocol) connection. Attackers gain access to corporate networks “some time before the attack,” and malware can encrypt the victim’s network in an hour.

Having penetrated the local network, hackers install a proxy server on one of the devices to ensure that all copies of the malware are connected to the C&C server. The payload (Cobalt.Client.exe) is launched remotely using the legitimate PsExec utility.

Numerous compilation artifacts indicate that the ransomware has another name – Cobalt (not to be confused with Cobalt Strike).

Although the identity of the attackers remains unknown, the language in the various lines of code written in poor English suggests that the attacker is not a native English speaker.

Analyzing Pay2Key ransomware operation, we were unable to correlate it to any other existing ransomware strain, and it appears to be developed from scratch. Only a single engine on VirusTotal detected the uploaded ransomware samples as malicious, even though the ransomware does not use a Packer or protection of any kind to hide its internal functionality.say the researchers.

The new ransomware is written in C++ and has no analogues in the darknet market. It encrypts files with the AES key, and uses RSA keys to communicate with the C&C server. In the same way, Pay2Key receives a configuration file with a list of extensions for encryption, a template for a ransom message, etc.

Once encryption is complete, ransom notes remain in compromised systems. The Pay2Key grouping usually requires a ransom of 7 to 9 bitcoins (roughly $110 to $140k). The criminals’ encryption scheme looks solid (using AES and RSA algorithms) and unfortunately experts have not been able to develop a free version of the decryptor for victims yet.

Let me remind you that recently Ragnar Locker ransomware attacked Italian beverage manufacturer Gruppo Campari, and this is just one of the most “delicious” news in recent years.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *