Cybersecurity researchers have discovered a new threat on the Internet: a ransomware called Pay2Key that uses a new attack methodology to extort and defraud its victims in less than 1 hour.
The potential danger that this new represents ransomware Nowadays it is due to its speed in executing an attack. Pay2Key It is designed to hijack and encrypt victim's data in less than 1 hour and then demand a ransom in cryptocurrencies, As the cyber threat intelligence division explains, Check Point ResearchThis previously unknown ransomware has been targeting Israeli companies since early November, gaining access to the networks of several Israeli organizations and companies to hijack their data.
Check Point highlights in its research that the attacker behind this ransomware may have gained access to the victims' networks at some point before executing the attack, but that Pay2Key still has an important and disturbing quality and that is the ability to “make a quick move to spread the ransomware to the entire network within an hour”. For their part, Check Point researchers point out that after executing the attack and completing the infection of the entire network, the victims received a message from the attackers indicating that they had to pay a ransom to regain access and control of their encrypted data and information and, in the opinion of the researchers, the amount requested as a ransom is relatively low; between about 7 to 9 bitcoins (BTC), equivalent to approximately $112.000 USD and $144.000 USD, respectively, based on the cryptocurrency’s current price at press time.
It may interest you: Critical bug hits Bitcoin SV multisigs
Who is affected by this ransomware?
This attack targets Windows operating systems and according to researchers, the initial infection to the network is likely done through an RDP connection (Remote Desktop Protocol or Remote Desktop Protocol), which allows communication between a server and a terminal for the execution of an application or software. Likewise, the researchers detail that we are facing one of the most solid ransomwares on the market, since Pay2Key uses the AES and RSA algorithms for encryption.
Source: Check Point Research
Origin of Pay2Key
Check Point researchers have apparently been unable to link this ransomware to other known malware of this family on the market, so they assume that it is a ransomware developed from scratch. The research team also noted that the identity of the attacker is still unknown, although several traces detected in the code suggest that it is not a “native English speaker.” Check Point highlights that there are many typos in the code and in the log file, including several inconsistencies that show that the person is possibly not from English-speaking countries.
“When analyzing the operation of the Pay2Key ransomware, we were unable to correlate it with any other existing ransomware strain and it appears to have been developed from scratch.”
The first time this ransomware was detected was on October 26, when its “first compiled sample” was recorded. On the other hand, the first recorded attack with this ransomware occurred about a week after its appearance, on November 1, when an Israeli company reported the incident.
This ransomware is written in C++ language, the dominant language in Bitcoin code, Bitcoin Core; In addition, Pay2Key is compiled with MSVC++ 2015 which makes it easier to target specific attacks, researchers report.
A ransomware that is difficult to detect
Check Point reveals that, for the moment, only the antivirus analysis service VirusTotal, created by the Spanish company Hispasec Sistemas, was able to detect the ransomware, despite the fact that it does not use a “Packer” or any type of protection to hide its internal malicious functionality. In this sense, it seems difficult for other antivirus programs on the market to detect this problem and that users of Windows operating systems should use common sense to try to protect themselves against the new threat. It also reveals that during the time they have been analyzing the ransomware they have noticed several improvements to the code, which shows that the creators of this malicious software are actively working on it and adding new functions to improve attacks.
“In the latest version of the ransomware, we noticed that the attackers added a self-destruct mechanism, as well as a new command-line argument – noreboot. The new “cleanup” mechanism is responsible for deleting files created by the attacker and rebooting the machine.”
As a curious fact, Check Point points out that the KeyBase account, created under the name "Pay2Key", shows the same logo as the Smart contract Pay2Key EOSIO, apparently because when searching for “Pay2Key” in Google images, the smart contract logo is one of the first visible results.
The risks of Pay2Key double extortion
In addition to kidnapping and encrypting victims' data and information and requesting payment of a ransom, attackers are implementing a new technique, increasingly common in the field of cyberattacks, to exert greater pressure on their victims and force them to pay the requested ransom in the shortest possible time.
“Double extortion is a tactic that applies additional pressure on victims to pay the ransom by threatening to leak stolen corporate data from victims’ online networks.”
Thus, Pay2Key follows this trend of threatening its victims with publishing the kidnapped information in case the victims refuse to pay a ransom or as the attackers' message indicates; release “important information… in case we can’t make a good deal!”Check Point researchers say the attackers appear to be willing to follow through on those threats, as they have created a new website called Onion, intended to share leaked data from Pay2Key victims who fail to pay the ransom.
Source: Check Point Research
To date, data from 3 Israeli companies that were victims of this attack have been published on the site and although the attack is mainly aimed at organizations and companies in this country, a report de swascan records a new victim in Europe.
Tracking rescues
Apparently, around 4 companies attacked with this ransomware have made the ransom payment, which has allowed the team of researchers to follow the destination of the payments made in BTC. As we well know, Bitcoin is a decentralized and open source network, so the payments and transactions made within it are not subject to any kind of security. blockchain can be tracked from their origin to their final destination.
Thus, Check Point indicates that, by analyzing the BTC transactions since the victims make the deposit in the address sent by the attacker and the entire journey of this money through several addresses of "Wallets "intermediate" addresses, they managed to detect that the "final wallet" address is associated with the financial services company with cryptocurrencies Excoino, which is based in Iran. According to the report, this company requires the user to have a valid Iranian phone number and an identification code; in addition, to be eligible to operate on the exchange, Exocoino also requires a copy of the ID, so the owners of the final wallets are Iranian citizens, who are probably behind the attack on the Israeli companies.
Safety recommendations
First of all, researchers suggest that you keep up-to-date backups of your most important stored data and information so that you can access your information if you fall victim to this ransomware. Similarly, it is recommended that you keep your Windows antivirus versions and other applications up-to-date and that these updates be downloaded from the companies' official websites and not from links or attachments in emails or from sites advertised by external media.
Developers also consider it important to stay informed of new cyber attacks and threats that emerge in the market so that users, companies and organizations can have “situational awareness” about existing risks that compromise their information. And if any anomaly is detected, it is suggested to immediately report it to the cybersecurity service provider or the IT security department of the corresponding company or organization.
Continue reading: New APT: ESET discovers XDSpy group that steals confidential data from European governments
