Hunting Pay2Key
Guide on how to successfully hunt down a Pay2Key infected Windows machine.
Like lesson 1, search for encrypted files in any of the Users directories by using common encrypted extensions for Pay2Key. ".Pay2Key" or ".enc" are the most common extensions to look for when it comes to Pay2Key ransomware.
Check champuser's user directory for any ransomware messages that include "MESSAGE.TXT" as that will be included in the filename of any ransom message dropped on a Pay2Key infected Windows machine.
Next, look for any files in either the Windows Temp directory, IME directory, or users directory for anything pertaining to the word "cobalt". The Pay2Key ransomware launches from an executable that contains the word "cobalt" and can leave logs with that word in it as well.
From these files, find out the time they were modified and pull logs from that time to see suspicious logs (April 19, 2022, around 12:46 AM GMT).
From these logs, it can be seen "champuser" was logged into and Windows Defender was turned off during that time period. The status of Windows Firewall may also be in question if it was turned off, check the status of it with the following query.
Lastly, search for prefect files, as it is possible that some executables that were ran on this compromised system were deleted after execution. Use the following query to search for Pay2Key files in the Windows prefetch directory.
Last updated
