According to the report obtained by Fox News, the new, never-seen-before strain dubbed “Pay2Key” targeted more than a dozen Israeli companies a few weeks ago. The hackers used the Remote Desktop Protocol (RDP) of employees who worked from home.
According to the investigation carried out at Check Point, four Israeli victims of the attacks have decided to pay the ransom, which enabled its experts to track the payment transfers between crypto wallets. The researchers followed the Bitcoin route and found out that they all ended up in an Iranian exchange named Excoino. The Excoino website requires an Iranian ID and other details only Iranian citizens could have.
According to Check Point’s manager of threat intelligence, Lotem Finkelstein, there’s a global surge in ransomware.
“Pay2Key is sophisticated and far more rapid compared to other ransomware strains,” he said. “The recent Pay2Key ransomware attacks indicate a new threat actor has joined the trend of targeted ransomware attacks”
Finkelstein added that the actors implemented a rapid propagation mechanism, leaving significant parts of the victims’ network encrypted, along with a ransom note, threatening to leak stolen corporate data unless the ransom is paid. “So far, the Pay2Key threat actors have lived up to their threats. We strongly urge organizations to be cautious, as we expect their targeting to expand into other regions in the world,” he said.
(Thomas Trutschel/Photothek via Getty Images)
The hackers also implemented a double extortion method, where they’ve not only asked for money for removing the encryption caused by the ransomware but also asked for more money or else they would leak the data they have obtained.
Earlier this week, Iranian cleric Rahim Mahdavipour said in a sermon that the Islamic Republic carried out at least two cyberattacks against Israel this year, the latest one successfully targeting Israel’s power plants. The sermon was delivered on Nov. 6 in Bojnurd, Iran, and was aired on Iranian Khorasan Shomali TV. It was translated into English by the Middle East Media Research Institute (MEMRI) and released Wednesday.
On Oct. 30, the Israel Electric Corporation confirmed that there was a power outage in many areas across the country but stressed it was not caused by a cyberattack. The Israeli cyber authority refused to comment.
These recent reports link to a few other suspected mutual cyberattacks from both sides in the past year.
Diagram showing the flow of Bitcoin transactions between the victims and the target exchange.
(Check Point Ltd.)
On Oct. 16 the Iranian government admitted that two government institutions were attacked, among them the electronic infrastructure of the country’s ports.
On May 9, the Bandar Abbas port terminal in the south of Iran was crippled and shipping traffic was suspended for days. According to a Washington Post report, Israel was behind the attack.
Iran targeted Israeli water infrastructures back in June 2020, and according to a Fox News report, the Iranians used American servers to launch their attacks.