Check Point researchers reported a wave of attacks, largely targeting Israeli firms, by a previously unseen ransomware named Pay2Key.
\n
The attackers encrypted a significant portion of data in corporate networks and demanded a ransom in Bitcoin.
\n
To force the victim to pay, they threatened to leak stolen ‘important information’ online after the deadline.
\n
“Some of your important information has been downloaded and is ready to leak if we do not reach a good deal,” the attackers warned.
\n
Source: CheckPoint.
\n
Hackers carried out their threat against three Israeli companies, apparently not paying the ransom. They created an onion site in the Tor domain, posting evidence of possession of the data.
\n
Source: CheckPoint.
\n
Researchers noted that the attackers used different tactics to secure a payout. For instance, in the case of a law firm they immediately published part of the confidential information.
\n
In the case of the game-developer company, the attackers published only the server’s file-structure diagram, giving a second chance to pay. However, a day later they added information from the \”Finance\” folder, urging payment.
\n
In both cases, the hackers claimed to have stolen hundreds of gigabytes of data.
\n
At least four victims chose to pay the attackers, and this allowed researchers to trace the movement of cryptocurrency from the Bitcoin addresses specified in the ransom demands.
\n
Together with the analysts from the blockchain analytics company Whitestream, they found that the final recipients of the Bitcoins were a wallet on the Iranian exchange Excoino.
\n
Source: CheckPoint.
\n
For trading on the platform, users must provide a valid Iranian phone number, an identification code, and a copy of their identity document. In the terms of service, the exchange warns that the first transaction, as well as all suspicious ones, must be reported to Iran’s Cyber Police (FATA).
\n
Researchers believe this strongly indicates that the attack on Israeli companies was carried out by Iranian nationals.
\n
OFAC, the U.S. Treasury’s Office of Foreign Assets Control, urged victims not to pay ransomware operators under threat of sanctions.
\n
Follow Forklog news on Facebook!