A group of researchers has located a new type of ransomware attack called Pay2Key executed against several Israeli and European companies. The perpetrators have requested the ransom to be paid with bitcoins, which the researchers have followed the funds to an Iranian cryptocurrency exchange.
The updated research from the cybersecurity company CheckPoint reveals several that firms based in Israel have complained about being attacked in the past few weeks. They all reported that this ransomware had spread rapidly across their networks while leaving most parts encrypted along with a ransom note threatening to leak stolen corporate data unless the victim pays a demand.
Although the so-called Pay2Key attack was initially targeting Israeli companies only, new reports emerged claiming that at least a few European countries have fallen victims as well.
The research highlighted that some of the companies decided not to pay the ransom. The perpetrators stood true to their word and published their information online.
To do so, they created a new Onion website and inserted designated folders for each of the victims. So far, there have been three folders with firms’ details – all Israeli companies.
As mentioned above, the unknown attackers requested the demand to be paid in bitcoins. Each ransom note sent to the victims contained a Bitcoin address to which the victims need to send the funds. According to CheckPoint, at least four victims decided to pay.
As the transparent nature of the BTC blockchain stores all transactions, the researchers were able to follow the payments. They saw all transactions ending up on one address. From that point forward, the funds were redirected to a high activity wallet, which is typically associated with cryptocurrency exchanges.
Additionally, the researchers compared and verified that this final wallet belonged to an Iranian digital asset platform dubbed Excoino.
In case Excoino users want to withdraw funds, they need to provide a valid Iranian phone number, an ID/Melli code, and a copy of the ID. The exchange’s terms and conditions also read that the first transaction (or any suspicious transactions) will be reported to the Iranian Cyber Police (FATA) for further investigation.
Consequently, the researchers concluded that the owners of the final wallet could be Iranian citizens, “who most probably are behind the Pay2Key attack on Israeli companies last week.”