A new ransomware threat is around to disrupt the business sector. Identified as Pay2Key ransomware, the malware has already targeted numerous firms even before discovery.
Pay2Key Ransomware Active In The Wild
The ransomware is already active in the wild and has targeted numerous firms in recent attack waves.
The threat actors behind this ransomware seem to have stayed under the radar. However, the wave of attacks eventually drew attention of the cybersecurity community to detect this new malware.
Pay2Key initially remained undetected by most antimalware tools. Though, it does not exhibit any stealth properties or functionalities evading security. However, until the time of writing this article, VirusTotal shows that at least 34 engines can now detect this ransomware.
Further analyses of Pay2Key reveals its actual identity as Cobalt (different from Cobalt Strike), with the executable file ‘Cobalt.Client.exe’.
The ransomware enters the target network via RDP and then laterally spreads rapidly across the network via ‘psexec.exe’. The malware performs this infection very quickly, encrypting the entire network within an hour.
Pay2Key uses the standard AES and RSA algorithms for encryption. However, the encryption activity relies on an active internet connection with C&C that supplies the RSA key.
Analyses also hints that the threat actors use Ngrok as backdoor to maintain persistent access to the target network.
Alongside encryption, the malware probably steals the victim’s data as well – a practice increasingly becoming common among ransomware gangs. The attackers also proudly mention the same in the ransom note as well.
At some points though, Pay2Key authors seem to prefer a classic yet somewhat different approach for encryption. For instance, the use of RC4, the use of CryptDeriveKey on a hashed value to derive an AES key, instead of the traditional CryptGenKey, and the limitation of no offline encryption.
Yet, why and how these deviations impact the ransomware capability is presently unclear.
Pay2Key Demands Low Ransom
Another difference between Pay2Key and other ransomware is that Pay2Key does not put up very high ransom demands compared to others.
Perhaps, the attackers might have set low demands to encourage the victim into paying the ransom, as victims tend to avoid paying large ransom amounts even if the attackers threaten to leak the stolen data. (The K-Electric cyberattack is one such example.)
Check Point Research team detected the malware following attacks typically aimed at Israeli firms. However, the security researchers from Swascan, an Italian cybersecurity firm, initially detected this malware following active attacks targeting European companies.
Thus, it seems the threat actors leveraged the time to quickly execute massive campaigns before the security tools could start detecting the ransomware.
Detailed analysis of the ransomware is available here and here.