Researchers traced newly discovered sophisticated Pay2Key ransomware to Iran
Never-before-seen ransomware strain, dubbed Pay2Key, is actively targeting Israeli and European organizations. Researchers at Check Point traced bitcoin wallets found in ransomware notes to an Iranian cryptocurrency exchange.
Early November, surprisingly many Israeli companies reported ransomware attacks. And while some of them were carried out by well-known ransomware strands like REvil and Ryuk, several large corporations experienced attacks by a previously unknown ransomware, now dubbed Pay2Key.
Most victims of these attacks were based in Israel. However, new evidence suggests a European victim, and researchers expect the ransomware gang to scale their attacks globally.
Researchers at Check Point emphasized that the Pay2Key ransomware strain is sophisticated and far more rapid than others. It encrypts its victims’ data in less than 1 hour. Currently, Pay2Key threat actors are asking for payments of 7 to 9 bitcoins (~$110K-$140K).
“Pay2Key is sophisticated and far more rapid compared to other ransomware strains. The recent Pay2Key ransomware attacks indicate a new threat actor has joined the trend of targeted ransomware attacks. All the current evidence suggests that the threat actors behind this new ransomware strain are based in Iran,” Lotem Finkelsteen, Manager of Threat Intelligence at Check Point, said.
Four victims of Pay2Key decided to pay the ransom, providing Check Point researchers an opportunity to follow the money. In collaboration with a blockchain intelligence firm Whitestream, Check Point researchers traced sequences of Bitcoin transactions to an Iranian cryptocurrency exchange named Excoino.
“So far, the Pay2Key threat actors have lived up to their threats. We strongly urge organizations to be cautious, as we expect their targeting to expand into other regions in the world.” Lotem Finkelsteen said.
The Pay2Key operators leverage a double extortion tactic. In the double extortion model, cybercriminals encrypt data and demand a ransom to regain access, and threaten to publish any exfiltrated data online if their terms are not met. Pay2Key threat actors have created a dedicated website to leak their victims’ data.