New ransomware Pay2Key is able to encrypt corporate networks in just an hour

Criminals usually launch attacks after midnight, when companies have fewer IT workers.


A number of companies and large corporations in Israel have been targeted by cyber attacks using a new ransomware called Pay2Key. The first attacks were recorded by specialists from Check Point at the end of October this year, and now their number has increased.

According to experts, criminals usually carry out attacks after midnight, when companies have fewer IT workers. The Pay2Key malware allegedly infiltrates the network of organizations through a weakly secured RDP (Remote Desktop Protocol) connection. Attackers gain access to corporate networks “some time before the attack,” and malware can encrypt the victim's network in an hour.

Having penetrated the local network, hackers install a proxy server on one of the devices to ensure that all copies of the malware are connected to the C&C server. The payload (Cobalt.Client.exe) is launched remotely using the legitimate PsExec utility.

Numerous compilation artifacts indicate that the ransomware has another name - Cobalt. Although the identity of the attackers remains unknown, the language in various lines of code written in broken English suggests that the attacker is not a native English speaker.

The new ransomware is written in C ++ and has no analogues in the underground market. It encrypts files with the AES key, and uses RSA keys to communicate with the C&C server. In the same way, Pay2Key receives a configuration file with a list of extensions for encryption, a template for a ransom message, etc.

Once encryption is complete, ransom notes remain in compromised systems. The Pay2Key grouping usually requires a ransom of 7 to 9 bitcoins (roughly $ 110 to $ 140k). The criminals' encryption scheme looks solid (using AES and RSA algorithms) and unfortunately experts have not been able to develop a free version of the decryptor for victims at this time.

All News

Scroll top