Pay2Key

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Pay2Key is a form of malware, specifically ransomware, designed to infiltrate computer systems, often without the user's knowledge. This malicious software encrypts data and holds it hostage for ransom, often causing significant disruption to operations and potentially leading to the theft of sensitive information. Pay2Key is written in C++ and compiled using MSVC++ 2015. Upon execution, it reads the Server and Port keys from its configuration file, generates a pair of RSA keys, and sends the public key to the server over raw TCP. At the end of the encryption process, it also terminates the MS SQL service to release files locked by the service. In early 2021, Iranian threat groups reportedly used Pay2Key along with N3tw0rm ransomware to disrupt services at Israeli companies. These attacks were part of a trend of politically and ideologically motivated cyberattacks against Israeli entities, initiated by the Pay2Key and BlackShadow gangs around a year earlier. The Iranian COBALT FOXGLOVE threat group was identified as one of the perpetrators, using Pay2Key and N3tw0rm ransomware as destructive wipers. In December 2020, a similar "Pay2Key" campaign was launched against the Israeli shipping and logistics sector, indicating the growing threat posed by this malware. By September 2021, another hacker group known as MosesStaff had begun targeting Israeli organizations, following in the footsteps of the Pay2Key and BlackShadow groups. This wave of attacks indicated that a new threat actor was joining the trend of targeted ransomware attacks, presenting well-designed operations to maximize damage and minimize exposure. Investigations into these attacks remain ongoing, but they underscore the escalating threat posed by Pay2Key and similar forms of ransomware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Wiper
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NotPetyaUnspecified
1
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
WcryUnspecified
1
WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
IRON VIKINGUnspecified
1
Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pay2Key Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 months ago
Israeli Universities Hit by Supply Chain Cyberattack Campaign
MITRE
a year ago
Uncovering MosesStaff techniques: Ideology over Money - Check Point Research
MITRE
a year ago
Pay2Key Ransomware Alert - Check Point Research
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
Secureworks
a year ago
Ransomware Evolution