OSQuery Training
  • ℹ️Info
    • What is OSQuery?
  • πŸ–₯️Installation Guides
    • πŸ₯Debian + Ubuntu Based Systems
    • 🎩Red Hat, CentOS and Fedora Systems
    • πŸͺŸWindows Based Systems
  • πŸ”°Using OSQuery
    • Basic Queries
  • πŸ’ FleetDM Guides
    • FleetDM Setup
    • Joining Hosts to Fleet
    • Creating New Queries on Fleet
  • πŸ“—Lesson 1
    • Mespinoza/Pysa Ransomware
    • Hunting Mespinoza/Pysa
  • πŸ“™Lesson 2
    • Pay2Key Ransomware
    • Hunting Pay2Key
Powered by GitBook
On this page
  • Analysis
  • Ransom Demand Messages
  1. Lesson 2

Pay2Key Ransomware

Information about Pay2Key Ransomware

It was found that in June of 2020, a threat actor that goes by Pay2Key was found to have made a KeyBase account. The first known ransomware executable compilation date from Pay2Key is October 26th, 2020. In November 2020, Pay2Key launched this ransomware onto primarily Israeli companies.

Analysis

When the attacker initially gains access to the system, they download files in "C:\Windows\Temp\[organization-name]tmp\".

  • The Pay2Key ransomware: Cobalt.Cobalt.exe or Cobalt.Client.exe

  • The ransomware’s configuration file: Config.ini

  • Pivot or Proxy Server (Only on Initially Breached PC): ConnectPC.exe

Other places these files have been found before are below:

  • "C:\Windows\IME\en-GB\client\Cobalt.Client.exe"

  • "C:\Windows\IME\en-GB\mngr\ConnectPC.exe"

  • "C:\Windows\IME\en-GB\mngr\binPS\PsExec.exe"

After these files are downloaded, the attacker would execute "ConnectPC.exe". Then they would copy PsExec utility so that it could be used to remotely execute the ransomware on remote machines on the breached network. For the ransomware to work properly, it requires its "config.ini" configuration file so they will always be together. The configuration file is very simple as it holds only two values for the ransomware, server and port. The format of the "config.ini" file will look like the one below.

[Config]
Server = <internal IP address>
Port = 5050

The ransomware is written in the C++ programming language and it encrypts files using AES and RSA cryptography algorithms. Upon execution, Pay2Key will read the server and port keys from the "config.ini" file. When Pay2Key ransomware is installed onto a system, files that become encrypted by it can be found most commonly with the ".pay2key" or ".enc" extension. Encryption does not take place "offline" as it sends the files to a server it is connected to via a RSA connection to be AES encrypted. This means that if there is no Internet connection or the server is down, no files will be encrypted.

Opposed to other ransomware, when this ransomware executable is run, it unpacks as strings that can be seen in clear text. Debug data is left in the executable allowing researchers to observe how the ransomware works. Also, older versions of this ransomware have some errors that happen while attempting to run, these errors are written to ".\Cobalt-Client-log.txt" without it being deleted from the disk. In many instances, the ransomware crashes when decrypting files if the ransom is paid.

At the end of the encryption process, Pay2Key will terminate the MS SQL service using net stop mssqlserver > nul so that files locked by the service can be released. The ransomware may also change the wallpaper of the victim's system.

Ransom Demand Messages

In some instances, Pay2Key will create ransom messages named something similar to "[Company_Name]-MESSAGE.TXT" in all folders that contain encrypted files. Below is what that message might look like. By default, the ransom message filename is set to "SALAM_MESSAGE.TXT", so be on the look out for that as well.

PreviousHunting Mespinoza/PysaNextHunting Pay2Key

Last updated 2 years ago

Sources:

πŸ“™
"How to uninstall Pay2Key ransomware" by Tomas Meskauskas
"Pay2Key Ransomware – A New Campaign by Fox Kitten" by ClearSky Cyber Security
"Ransomware Alert: Pay2Key" by Check Point Research
Pay2Key Ransom Message