Meet Pay2Key, the complex malware attack

Check Point investigators have identified a ransomware operation, called Pay2Key that originates in Iran and that encrypts victim data in less than an hour and uses double extortion attacks.
Pay2Key is the name of a ransomware that encrypts files with AES and RSA encryption algorithms. It is written in the C ++ programming language. The research shows that the cyber criminals behind it are targeting large companies around the world.
The alert about the danger of Pay2Key focuses precisely on its speed of action, since in less than an hour the information can be completely encrypted and in the hands of pirates. Check Point also warns that there is a possibility that the chain will scale globally. Four of the victims decided to cooperate and pay the ransom, allowing investigators to pinpoint the location of the payment, in cooperation with Whitestream, a blockchain intelligence company.

The flow of transactions starts with bitcoin wallets found on ransom notes, passes through intermediate wallets and then arrives at the final wallet associated with Excoino, an Iranian cryptocurrency. This Iranian entity provides secure cryptocurrency transaction services, intended only for Iranian citizens and requiring a valid Iranian phone number and country identification code.

Hackers went so far as to create a website for the disclosure of the data of their victims who chose not to give in to the double-exposure attack. Among the victims who did not pay, there are three Israeli companies registered.

Malware installation can be avoided by following some of these recommendations:

  • Programs and files must be made from trusted official pages and through direct links for downloading.
  •  Installed programs must be updated and activated (if necessary) with tools and / or functions provided by their official developers.
  • Unofficial third-party update and activation tools should never be used - they tend to be designed to install malware.
  • It is not legal to activate licensed programs with various cracking tools or to use installers for pirated software.
  • Attachments and website links in irrelevant emails sent by suspicious people, unknown addresses should also not be opened - it is common for recipients who open them to cause malware to install. It is worth mentioning that these emails are designed to look legitimate and important.

The required redemptions are seven to nine bitcoins, roughly equivalent to $ 110 to $ 140.


Please enter your comment!
Please enter your name here