Pay2Key

Gil Mansharov, Ben Herzog

Check Point

Abstract:

Since the 1979 Iranian revolution, Iran-Israel relations worsened dramatically, impacting every diplomatic aspects, with threats of war casting a shadow over the region ever since the last open hostilities in 1991. The cyberspace, being no exception, has become a new arena of clashes especially since the 2010 discovery of the Stuxnet, a supposedly Israeli-American worm launched on several Iranian targets including nuclear plant in Natanz.

By late 2020, a new massive ransomware campaign called Pay2Key was launched against multiple Israeli companies with a double extortion modus operandi that resulted in the victims’ network encryption and data leakage.

Our Threat Intelligence team tracked the threat group behind these attacks and found the evidence of their Iranian origins, suggesting the whole operation being a part of Iranian Hacktivism activity, with a regime turning a blind eye to their actions.

Our presentation will depict the details of Pay2key Iranian operation by reviewing both the ransomware’s technical analysis and the developments leading to the Iranian attribution, including blockchain analysis of the attacker’s cryptocurrency wallets