A number of companies and large corporations in Israel have been targeted by cyberattacks using a new ransomware called Pay2Key.The first attacks were recorded by specialists from Check Point at the end of October this year, and now their number has increased.
According to experts, criminals usually carry out attacks after midnight, when companies have fewer IT workers. The Pay2Key malware allegedly infiltrates the network of organizations through a weakly secured RDP (Remote Desktop Protocol) connection. Attackers gain access to corporate networks “some time before the attack,” and malware can encrypt the victim’s network in an hour.
Having penetrated the local network, hackers install a proxy server on one of the devices to ensure that all copies of the malware are connected to the C&C server. The payload (Cobalt.Client.exe) is launched remotely using the legitimate PsExec utility.
Numerous compilation artifacts indicate that the ransomware has another name – Cobalt (not to be confused with Cobalt Strike).
Although the identity of the attackers remains unknown, the language in the various lines of code written in poor English suggests that the attacker is not a native English speaker.
The new ransomware is written in C++ and has no analogues in the darknet market. It encrypts files with the AES key, and uses RSA keys to communicate with the C&C server. In the same way, Pay2Key receives a configuration file with a list of extensions for encryption, a template for a ransom message, etc.
Once encryption is complete, ransom notes remain in compromised systems. The Pay2Key grouping usually requires a ransom of 7 to 9 bitcoins (roughly $110 to $140k). The criminals’ encryption scheme looks solid (using AES and RSA algorithms) and unfortunately experts have not been able to develop a free version of the decryptor for victims yet.
Let me remind you that recently Ragnar Locker ransomware attacked Italian beverage manufacturer Gruppo Campari, and this is just one of the most “delicious” news in recent years.