Security researchers fr om Check Point have warned of a new ransomware strain dubbed Pay2Key that has been detected in a wave of targeted attacks against Israely corporations.
The analysis of the Pay2Key ransomware operation revealed that the malware’s code is not related to any other known ransomware families and appears to be developed from scratch. Some compilation artifacts indicate that Pay2Key is internally called 'Cobalt' (not related to the Cobalt Strike software) by its developers. The researchers were not able to identify the threat actor behind the Pay2Key ransomware, however, inconsistent English wording within the various strings found in the code suggests that the malware author is not a native English speaker.
The Pay2Key ransomware is written in C++ and compiled using MSVC++ 2015. It heavily relies on Object-Oriented Programming and uses well-designed classes for its operation. It also makes use of 3rd-party libraries like Boost.
According to the researchers, the Pay2Key operation is likely using publicly exposed Remote Desktop Protocol (RDP) services to gain access to victims' networks and deploy the initial malicious payloads. Access to target networks appears to have been obtained “some time before the attack,” but once the ransomware operators begin the attack, it usually takes them an hour to spread to the entire network and encrypt files.
Upon gaining initial access, the attackers create multiple files on the infected machine and execute ConnectPC.exe.
“Then, they copied or downloaded the PsExec utility and used it to remotely execute the ransomware on other machines in the organization. In order to work properly, the ransomware requires a config file to be located in the same working directory. Thus, Config.ini is required to be dropped in the victim’s computer along with Cobalt.Client.exe. In the cases we’ve seen, the Pay2Key ransomware was executed from paths of this template: C:WindowsTemp[organization-name]tmpCobalt.Client.exe,” the researchers explain.
Once the encryption process is complete, ransom notes are left on the hacked systems, with the ransom amount ranging between 7 and 9 Bitcoins (approx. $110,000 - $140,000).
“While the attack is still under investigation, the recent Pay2Key ransomware attacks indicate a new threat actor is joining the trend of targeted ransomware attacks – presenting well designed operation to maximize damage and minimize exposure. The attack was observed targeting the Israeli private sector so far, but looking at the presented tactics, techniques, and procedures we see a potent actor who has no technical reason to lim it his targets list to Israel. The incidents are still under investigation, and we will update this blogpost with new findings if any new findings come to light,” Check Point warned.