Pay2Key

Pay2Key is a type of malware, specifically ransomware, that was used by likely Iranian threat groups to disrupt services at Israeli companies in early 2021. This malware can infiltrate systems through suspicious downloads, emails, or websites and has the potential to steal personal information, disrupt operations, or hold data hostage for ransom. However, the FBI has assessed that the primary objective of Pay2Key was not to obtain ransom payments but rather as an information operation aimed at undermining the security of Israel-based cyber infrastructure. The software is cataloged under MITRE ATT&CK® as S0556. The use of Pay2Key began around December 2020, with a notable attack on the Israeli shipping and logistics sector. It was part of a wave of politically and ideologically motivated attacks against Israeli organizations, which also involved other threat groups such as BlackShadow and MosesStaff. Similar to other malicious campaigns like North Korea's WCry (also known as WannaCry) for financial gain, Russia's IRON VIKING using NotPetya for its destructive capabilities, Pay2Key, along with N3tw0rm, was used by the Iranian COBALT FOXGLOVE threat group as a destructive wiper against entities in Israel. In terms of technical details, Pay2Key operates by generating a pair of RSA keys and sending the public key to the server over raw TCP. At the end of the encryption process, it also terminates the MS SQL service using the command "net stop mssqlserver > nul" in order to release files locked by the service. These recent Pay2Key ransomware attacks indicate a new trend of targeted ransomware attacks, designed to maximize damage and minimize exposure. As of now, investigations into these attacks are ongoing.