New Pay2Key Ransomware Targeting Companies

New Pay2Key Ransomware Targeting Companies

A new ransomware, Pay2Key compromises networks using the weakly configured Remote Desktop Protocol (RDP) and asks for payments of 7 to 9 bitcoins for the decryption of encrypted files.


New Pay2Key Ransomware Targeting Companies: Several companies from Israel reported to have been the victim of a new targeted ransomware attack, called Pay2Key. Weakly configured RDP (Remote Desktop Protocol) is believed to the initial entry point for the attackers, before they infect and encrypt all the files on the network.

What is Ransomware?

As being one of the most prevalent types of malware, a ransomware is a malicious software that uses encryption to disable a victim’s access to its own data and demands a ransom, usually in a cryptocurrency in return to decrypt the encrypted data.

Ransomware can be prevented just like any type of malware. However, once it infects a system, usually an offline backup is the only solution (except for paying the ransom) to recover a system. This is because they use well known and hard to break encryption schemes to render the data inaccessible to the victim. In rare cases, it could be possible possible to find implementation faults in the malware through reverse engineering to recover the encrypted data back.

Quote by William Lynn
Quote by William Lynn

Whereas a missile comes with a return address, a computer virus generally does not.

William Lynn

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

Description of the Pay2Key Ransomware Attack

It has been observed that the Pay2Key Ransomware attacks usually take place after midnight, when employees are not at work. After the attack, a note asking for payments of 7 to 9 bitcoins is left on the victim systems to unlock the encrypted files. In addition to encrypting the files, attackers are also known to have stolen sensitive data from the victims.

Pay2Key Ransomware Note
Pay2Key Ransomware Note

How the Pay2Key Ransomware Attack Works?

Regarding the attack technique, exposed RDP services are exploited initially to infiltrate the targeted networks. After getting in, the attackers use a single machine as a pivot to communicate externally, in order to prevent detection. For the lateral movement, psexec.exe is being used by the attackers to deliver and execute Cobalt.Client.exe (which is the Pay2Key ransomware itself) other machines on the network.

According to the researchers, the ransomware has been created from scratch, meaning there are no similarities with other known ransomware. For the encryption, the ransomeware uses AES, RSA and RC4 algorithms and currently there is no known decrypter for the files encrypted with Pay2Key.

A traceback on the crypto wallet reveals that the attackers have opened accounts on Excoino (An Iranian Crypto Currency Exchange that opens accounts only for Iranian nationals).

So far the ransomware impacted multiple companies in Israel and a few in Europe. However, soon it could be expected to pose a serious threat all over the world. For a more details about the ransomware, you can refer to the report published by the Check Point.

To learn more about malware, you could also read our article What is Malware and Its Types?