Newly-discovered active ransomware strain attacking Israeli and European organizations is traced to Iran
November 2020 by Check Point
Security researchers at Check Point have traced the newly discovered ransomware strain, dubbed Pay2Key, to threat actors in Iran. Last week, Check Point researchers issued an alert of the never-before-seen ransomware strain that encrypts victims’ data across their networks in less than an hour. At the time, Check Point’s investigation found that the threat actors behind Pay2Key targeted mostly Israeli companies. New evidence now suggests that the threat actors also targeted companies in Europe, specifically Italy.
Four victims of Pay2Key decided to pay the ransom, providing Check Point researchers an opportunity to ‘follow the money.’ In collaboration with Whitestream, a blockchain intelligence firm, Check Point researchers traced sequences of Bitcoin transactions to an Iranian cryptocurrency exchanged named Excoino. The flow begins with wallets found in ransomware notes, proceeding to an intermediate wallet, then ultimately a final wallet associated with Excoino.
Excoino is an Iranian entity that provides secure cryptocurrency transactions services for only Iranian citizens. Registration requires a user to have a valid Iranian phone number and ID/Melli code (کد ملی). The exchange also requires a copy of the ID itself to grant eligibility for users to join. Based on this trail, Check Point researchers have concluded that the threat actors behind Pay2Key are more than likely Iranian citizens.
Use of Double Extortion
The threat actors behind Pay2Key leverage a tactic called Double Extortion, a recent evolution in the ransomware attack arsenal. In the double extortion model, not only do ransomware attackers encrypt data and demand a ransom to regain access, but also threaten to publish any exfiltrated data online if their terms are not met. Pay2Key’s threat actors have created a dedicated website to leak their victims data. So far, the nonpaying victims of Pay2Key’s double extortion assault are 3 Israeli companies. Check Point researchers expect the number of assault victims to grow quickly outside of Israel.
The initial entry point for all intrusions is currently believed to be weakly secured RDP (Remote Desktop Protocol) services. Once inside a victim’s network, the attackers set up a proxy for all outgoing communications between the ransomware-infected computers and Pay2Key’s command-and-control (C2) servers. This helps the threat actors evade detection before encrypting all reachable systems on the network by using a single device to communicate with their own infrastructure. Once the encryption ends, ransom notes are left on the hacked systems, with the Pay2Key gang usually asking for payments of 7 to 9 bitcoins (around $110K to $140K US).
Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen said: “We’re in the midst of global surges in ransomware, attacking everything from hospitals to large corporations. Pay2Key is sophisticated and far more rapid compared to other ransomware strains. The recent Pay2Key ransomware attacks indicate a new threat actor has joined the trend of targeted ransomware attacks. All the current evidence suggests that the threat actors behind this new ransomware strain are based in Iran. These threat actors have built an operation designed to maximize damage and minimize detection. They implement rapid propagation mechanisms, leaving significant parts of the victims’ network encrypted, along with a ransom note, threatening to leak stolen corporate data unless the ransom is paid. So far, the Pay2Key threat actors have lived up to their threats. We strongly urge organizations to be cautious, as we expect this group to expand their targeting into other regions globally.”