A ransomware called Pay2Key is targeting Israeli and Brazilian organizations and encrypting their networks within one hour. According to cybersecurity researchers at Check Point, Pay2Key ransomware likely uses publicly exposed Remote Desktop Protocol or RDP to gain access to victims’ networks and deploy the malware. While Pay2Key operators have previously infiltrated victims and are active in the targeted networks before the ransomware begins encrypting systems, they also can make a rapid move of spreading the ransomware within an hour to the entire network.
Once it has infiltrated the network, hackers set up a pivot device that’s used as a proxy for all outgoing communications between the malware-infected computers and Pay2Key’s command-and-control servers. This allows them to evade or reduce the risk of detection before encrypting the network using a single device to communicate with their infrastructure.
Pay2Key Demands Ransoms Up to $140K
Pay2Key hackers use Microsoft’s PsExec portable tool to remotely drop a ransomware file named Cobalt.Client.exe on the targeted organizations’ network. Once the ransomware has succeeded in encrypting a device, the ransomware operators drop a ransom note on the affected PC, customized for each hacked entity. The Pay2Key gang is currently asking for relatively small ransoms, with Check Point reporting ransom demands of between 7 and 9 bitcoins per victim. Other reports have ransom demands as low as 4 bitcoins.
Pay2Key is not based on any detected code, and according to compilation artifacts, it looks like the malware is internally referred to as ‘Cobalt’ by developers who are not native English speakers. Pay2Key uses a hybrid of symmetric and asymmetric encryption, which employs AES and RSA algorithms with the C2 server delivering an RSA public key at runtime, which indicates that Pay2Key will fail to encrypt machines without an active Internet connection or if the malware’s C2 server is offline.
Pay2Key ransomware seems to be joining a new trend of targeted ransomware attacks that present a carefully designed operation to seek to maximize damage while minimizing exposure.