In the cyber kill chain, each stage is critical. Security awareness and precautions should take in place to mitigate the risk. A considerable number of cyber-attack criminals are now targeting Israeli companies using ransomware. Researchers confirmed that most of the attacks were correlated to a new variant of ransomware called Pay2Key. Investigations revealed that the attackers could establish a foothold, escalate the privileges and move laterally to the victim’s entire network undetected.
How did the attack happen?
Based on the security researchers’ collected artifacts, they have concluded that attackers were able to obtain access to the company’s network before the start of the attack. Right after midnight, they have swiftly propagated the ransomware into the entire system within an hour.
The techniques, tactics, and procedures (TTP’s) used by the new detected Pay2key malware appears to be a different strain among the other existing ransomware. During the propagation period, analysis has shown that the initial infection was performed using an RDP connection (Remote Desktop Protocol) wherein the attackers have manually access one of the machines on the compromised network. The outgoing communication used between the infected device and the attacker’s command and control server is operated using a “ConnectPC.exe” program. To move laterally into the organization’s network, the attackers used the command line built-in for Windows called psexec.exe to infect several computers and execute the ransomware file called “Cobalt.Client.exe” which are using a robust encryption scheme called Advanced Encryption Standard (AES) and RSA algorithms.
After the successful attack and encryption of the compromised system, Pay2Key ransomware will drop a customized ransom note to the targeted company with a demand to pay 7 to 9 bitcoins to officially receive the file decryptor and recover infected files.
Forensic artifacts and insights from Israeli Incident Response teams have helped security researchers identify how and where the ransomware began. Attackers create a Keybase account last June 2020 using the name “Pay2key”. Several samples were also uploaded to Virus Total at the end of October 2020, which indicates an attack in an organization.
Currently, Pay2Key ransomware aims to target Israeli companies.
The comprehensive analysis of the attack is still under investigation; however, the English languages found in the code strings give the impression that the attacker is not a native English speaker. As of now, attackers are continuously developing and updating the ransomware with more features.