Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact |
Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.[1][2] |
|
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography | |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
| Enterprise | T1095 | Non-Application Layer Protocol |
Pay2Key has sent its public key to the C2 server over TCP.[2] |
|
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.[1][2] |
| Enterprise | T1489 | Service Stop |
Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.[2] |
|
| Enterprise | T1082 | System Information Discovery |
Pay2Key has the ability to gather the hostname of the victim machine.[2] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Pay2Key can identify the IP and MAC addresses of the compromised host.[2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0117 | Fox Kitten |