Recently, in the past few weeks, many companies and organizations have encountered many ransomware attacks. A very new ransomware named Pay2Key has encrypted the networks of several organizations from Israel and Brazil. This ransomware is encrypting networks within an hour, and all the targeted attacks are still under investigation.
The first attack was seen in late October, but it has now grown in numbers, but it continues to attack Israel. According to cybersecurity researchers, the number of hackers are increasing at an alarming rate and are following the same method to achieve a foothold, propagate, and remotely control the infection within the negotiated companies.
However, the Swascan Cyber Security Research Team is the first cybersecurity team that came to the scene to assist all the clients in reviewing and remediating this new threat’s contingencies.
- Earlier, this undiscovered ransomware has been named Pay2Key that conducts attacks that have been targeted against Israeli companies.
- All the initial infection are likely made via RDP connection.
- Lateral flow is performed using psexec.exe to administer the ransomware on the various machines within the organization.
- The network communications always get special attention to reduce the noise a large number of encrypted machines may create while contacting the Command and Control servers.
- The encryption scheme is compact by using the AES and RSA algorithms.
According to the Checkpoint report, they were unable to correlate the operations of the Pay2Key ransomware to any other existing ransomware strain. And the experts concluded that this ransomware had been appeared to be produced from scratch.
However, the Pay2Key threat actors are using Microsoft’s authorized PsExec portable tool to remotely perform the ransomware payloads called Cobalt.Client.exe on the targeted organizations’ network devices.
Moreover, the security experts also affirmed that the Keybase account are also using the same Pay2Key name to chat with their victims, and these accounts also have the same logo of the Pay2Key EOSIO smart contract system.
The Pay2Key ransomware is composed of C++ and assembled using MSVC++ 2015. This ransomware totally relies on the Object-Oriented Programming and utilizes all well-designed classes for its operation. Moreover, this ransomware also makes use of 3rd-party libraries just as the popular libraries of Boost.
Apart from this, the experts stated that the Pay2Key reads the Server as well as the Port keys from the configuration file. In case a configuration file was not detected in the current working directory, and if it is not provided in the command line disputes, then the ransomware will address “no config file found” to a file at .Cobalt-Client-log.txt.
- Cobalt.Client.exe – Pay2Key ransomware
- Config.ini – It’s a configuration file that specifies “Server” and “Port.”
- ConnectPC.exe – Pivot/Proxy server
- PublicKey: Accept the Server’s public key.
- Identification: Transfer to the Server the IP address, the MAC address, and the hostname.
- Config: Get a configuration from the Server. It is a very important aspect of ransomware as it includes all important information like the list of file extensions to encrypt, the name of the victim’s organization, the ransom note, the extension of the encrypted file, and many more.
- ExceptionMessage: N/A
- SessionKey: Get a unique session key from the Server.
- JobFinished: Announce that the encryption job is completed.
- Abort: Stop the execution.
- GetClientList: N/A
- ClientList: N/A
- GetClientInformation: Send, upon request, the status of various tasks like the encryption task.
- ClientInformation: Transfer the status of different tasks like the encryption task.
- Acknowledge: N/A
- GetIdentification: Transfer to the Server, upon request, the IP address, the MAC address, and the hostname.
- None: N/A
Evolution & Encryption
The experts checked multiple samples in a small period of time and noticed several changes in them. This implies that Pay2Key is under active development and all the developers update it with added features.
In the encryption, a hybrid of symmetric and asymmetric cryptography is used by applying the AES and RSA algorithms. And the C2 Server supplies an RSA public key at runtime during communication; that’s why it implies that this ransomware doesn’t encrypt file offline.
The experts are still investigating the whole matter, and they said that there are some indications regarding new threats. The security experts also noted that some new threat actors are joining the trend of targeted ransomware attacks and are presenting well-designed operations to maximize damage and minimize the appearance.