- European and Israeli companies were targetted in a new type of ransomware attack called Pay2Key.
- At least four companies have already paid the requested ransom in bitcoin.
A group of researchers has located a new type of ransomware
attack called Pay2Key executed against several Israeli and European companies.
The perpetrators have requested the ransom to be paid with bitcoins, which the
researchers have followed the funds to an Iranian cryptocurrency exchange.
A New Ransomware
Attack On Israeli And European Firms
The updated research from the cybersecurity company
CheckPoint reveals that several firms based in Israel have complained about
being attacked in the past few weeks. They all reported that this ransomware
had spread rapidly across their networks while leaving most parts encrypted
along with a ransom note threatening to leak stolen corporate data unless the
victim pays a demand.
Although the so-called Pay2Key attack was initially
targeting Israeli companies only, new reports emerged claiming that at least a
few European countries have fallen victims as well.
The research highlighted that some of the companies decided
not to pay the ransom. The perpetrators stood true to their word and published
their information online.
To do so, they created a new Onion website and inserted
designated folders for each of the victims. So far, there have been three
folders with firms’ details – all Israeli companies.
The Bitcoin Trace
Imply Iranian Involvement
As mentioned above, the unknown attackers requested the
demand to be paid in bitcoins. Each ransom note sent to the victims contained a
Bitcoin address to which the victims need to send the funds. According to
CheckPoint, at least four victims decided to pay.
As the transparent nature of the BTC blockchain stores all
transactions, the researchers were able to follow the payments. They saw all
transactions ending up on one address. From that point forward, the funds were
redirected to a high activity wallet, which is typically associated with
cryptocurrency exchanges.
Additionally, the researchers compared and verified that
this final wallet belonged to an Iranian digital asset platform dubbed Excoino.
In case Excoino users want to withdraw funds, they need to
provide a valid Iranian phone number, an ID/Melli code, and a copy of the ID.
The exchange’s terms and conditions also read that the first transaction (or
any suspicious transactions) will be reported to the Iranian Cyber Police
(FATA) for further investigation.
Consequently, the researchers concluded that the owners of
the final wallet could be Iranian citizens, “who most probably are behind the
Pay2Key attack on Israeli companies last week.”
No comments:
Post a Comment