The Pay2Key Ransomware
CheckPoint Software technologies have discovered that a new ransomware variant dubbed Pay2Key spread by hackers belonging to Iran. The news is that the malware has spread its evil to multiple companies across Israel in some parts of the world, including the United States.
Security analysts say that the Pay2Key ransomware spreading gang demands 6-9 bitcoins to free up the data from encryption and has demanded double the amount for a law firm that manages law deals related to many famous Hollywood celebs.
More information from the Check Research blog-post
Pay2Key Technical Details
This crypto-ransomware encrypts user’s data with AES and RSA, and for some functions, it still uses the RC4 algorithm, and then it demands a 6-9 BTC ransom to return the files.
The Pay2Key detection in some vendors
- BitDefender – Trojan.GenericKD.35120498, Trojan.GenericKD.35120626, Trojan.GenericKD.35120535
- Malwarebytes – Ransom.Cryptor
- Microsoft – Program:Win32/Wacapew.C!ml, Trojan:Win32/Ymacco.AA5B, Trojan:Win32/Wacatac.C!ml
- TrendMicro – Ransom.Win32.PAY2KEY.A
- DrWeb – Trojan.Encoder.33027, Trojan.Encoder.33028, Trojan.Encoder.33029
An extension is added to the encrypted files with .pay2key.
Note: New extensions, emails, and texts about redemption can be found at the end of the article, in updates. The activity of this crypto-ransomware came in late October – early November 2020.
The ransom note is called by the template: “ORGANIZATION” _MESSAGE.TXT
From the ransom note:
The Pay2Key message
PAY2KEY
HELLO *** USERS!
Congratulations!
Your entire network and all your information such as computers/ employees information/ users folders/ servers/ file-servers/
applications/ databases/etc… in your network has been successfully encrypted!
Some of your important information dumped and ready to leak, in case we can’t make a good deal!
Don’t modify encrypted files or you can damage them and decryption will be impossible!
Don’t try unofficial decryptors to recover your files or you can damage them and decryption will be impossible!
There is only ONE possible way to get back your files! Pay and contact to receive your special decryptor!
You should pay 7 BTC to receive an official decryptor and easily recover your files. ***special decryptor is now ready and
waiting for your payment, let’s do it!
You can send 4 random files from any computers and receive decrypted data, just as proof that works!
Your UserlD IS: ***
Your Network ID ***
| NOTICE |
Offer available until XX/XX/2020. If you do not pay on time, the price will be doubled!
Wallet: ***
E-mail:
pay2key@tuta.io
pay2key@pm.me
Keybase:
Pay2Key
The art in this note is the customization for each organization.
Technical details
Ransomware hackers using Pay2Key infiltrate the target networks quickly and spread the ransomware throughout the network within an hour. Besides, they install a device used as a proxy for all outgoing messages between computers infected with Pay2Key Ransomware.
This helps them reduce the risk of detection before encrypting all available systems on the network.
The Pay2Key can be spread through an unprotected RDP configuration.exe.
There is no data on other distribution methods yet. Still, after reconfiguration, it may well begin to spread using email spam and malicious attachments, deceptive downloads, botnets, exploits, malicious advertising, web-injecting, fake updates, repackaged, and infected installers.
Note: Pay2Key is under active development, and the developers are updating it with additional features.
This screenshot shows a feature responsible for deleting the ransomware and its files and restarting the systems. A command is used to turn the PC off with Shutdown /r /f /t 0
More details about Pay2Key Encryption
A hybrid of symmetrical and asymmetric cryptography is used using AES and RSA algorithms. The C2 server generates and transmits the RSA open key during the run. This means that Pay2Key does not encrypt offline, and if there is no Internet connection or C2 is not available, there will be no encryption.
Researchers have noticed that some cryptographic functions and not to encrypt files using the RC4 algorithm. Pay2Key authors used a third-party implementation via Windows API.
Network ID from the note (GUID format) is stored as ASCII at the beginning of the file, followed by some metadata as “Pay2Key RansomwareWORD length”, including the original name of the file.
List of file extensions that are encrypted: MS Office, OpenOffice, PDF, text files, databases, photos, music, videos, image files, archives, etc.
Files related to this Ransomware: “ORGANIZATION” _MESSAGE.”
- TXT – filename with the ransom demand
- Cobalt.Client.exe
- Config.ini is a configuration file that lists “Server” and “Port.”
- Cobalt-Client-log.txt – log file used by ransomware while running
- ConnectPC.exe – Network Connectivity file used to relay messages from victims within the organization to an external control server
- Cobalt.Client.pdb – original project file
- .exe is the random name of the Location malicious
Pay2Key file location: “Desktop.”
“User_folders”:”% TEMP%”.C:\Windows\Temp\[organization-name]tmp\Cobalt.Client.exeF:2-Sources-21-FinalCobal.pdb
Sandboxes Sample
