Pay2Key Ransomware
The Pay2Key Ransomware is a file-locking Trojan that blocks the data on companies' networks while generating unique ransom notes for them. Its attacks are using RDP for initial infections and network access, which admins can prevent partially by updating all relevant software and avoiding weak passwords. Businesses without appropriate backups may have no other recovery options, although Windows security solutions may remove the Pay2Key Ransomware in time.
An Hour is All It Takes for a Hundred Thousand Dollar Attack
The appearance of file-locker Trojans with code not related to a past family is always influential to the threat landscape. It's even more so when the Trojan, like the Pay2Key Ransomware, has well-defined targets and operational procedures. While standard in its blocking data method, this Trojan sets itself above similar threats with unorthodox programming and demographics.
The fundamentals of the Pay2Key Ransomware's payload flow through an associated configuration file, which defines the Trojan's encryption targets by format, the extension it adds to them after blocking them and its ransom note. However, it retains most attack capabilities without it and merely reverts to default settings (such as the 'enc' extension). As usual, its encryption routine is AES with RSA and is secure from third-party solutions.
The Pay2Key Ransomware's programmer shows an interest in what malware experts rate as unusual programming choices. Some examples of their creativity include retaining server connectivity for encryption, funneling all C&C contact through a proxy on the network, and using less popular or customized containers and functions. After compromising the target by hijacking the Remote Desktop feature, the attacker spreads the Pay2Key Ransomware to the rest of the network in roughly one hour, usually during a time of low user activity (such as the middle of the night). The Pay2Key Ransomware delivers its ransom note after sabotaging the files, with average ransoms starting at ninety thousand dollars.
Knocking Middle Eastern Trojans Off Their Comfortable Footing
Some of the Pay2Key Ransomware's naming conventions may lead to confusion among victims. It isn't related to the Pay 2 Key UTXO token contract – despite the threat actor's hijacking its image for their Keybase account. Samples also imply that the Pay2Key Ransomware called itself Cobalt previously, but malware experts see no ties between it and the Cobalt backdoor Trojan or Cobalt Strike.
Israel-based companies are highly at risk from this threat, which has yet to show itself outside of that nation. However, technically, its features apply just as well to Windows users around the world and other, non-secure business networks. Admins should check RDP for security, make prompt use of security updates, and avoid potentially corrupted e-mail downloads, such as macro-using documents.
Readers also might note that the Pay2Key Ransomware asserts the theft of company information for leaking to the public, which occurs in some file-locker Trojans' campaigns, but has yet to receive verification here. For protection, malware analysts emphasize the need for comprehensive backups and security services that should remove the Pay2Key Ransomware on sight.
The Pay2Key Ransomware is an engagingly unique threat from a programming standpoint. That its methods of generating revenue aren't much different from those of the more vanilla Ransomware-as-a-Services out there demonstrates that extortionist file-locking campaigning is a near-perfected art, even if the picture it paints is far from pretty.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.