Recently, security researchers revealed that Fox Kitten, an Iranian-backed hacking group, has been linked with the Pay2Key ransomware. Read on to know more…
Over the past two months, several Israeli firms have been targeted with a ransomware variant called Pay2Key. Fox Kitten, an Iranian-backed hacking group, has been linked with the Pay2Key ransomware operations that eye on organizations in Israel and Brazil.
Pay2Key is a relatively new ransomware variant first spotted in November by Check Point Research. Several Israeli businesses and organizations that have sustained attacks by what they believed were ransomware strains such as Ryuk and REvil were actually hit by Pay2Key, according to Check Point.
“We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies,” according to the ClearSky report. Fox Kitten is also known as Pioneer Kitten and Parasite.
The Pay2Key Ransomware
The Pay2Key ransomware operation is part of the ongoing cyber showdown between Israel and Iran, suggests experts. Its recent wave of attacks has caused significant damage to some of the victim companies.
Since October, the Iranian APT group has been using Pay2Key ransomware attacks as cover, while the actual aim was stealing valuable information from industry, insurance, and logistics firms. The group exploited several vulnerabilities in Fortinet, Pulse Secure, F5, and Global Protect VPN products. In addition, it abused publicly exposed RDP to gain access and deploy malware payloads.
Pay2Key operators have the ability to spread the ransomware within an hour to the entire network. This ransomware was used to create panic instead of getting the ransom. Attackers also used a pivot device for outgoing communication proxy between the infected devices and the C2 servers. It helps them evade detection before encrypting all network systems.
Other Cyberattacks
As of late, this new ransomware has been used in various cyberattacks against Israeli and European companies. A few days ago, the Pay2Key ransomware was used by some hackers to steal and leak data allegedly stolen from Habana Labs during a cyberattack. Personal details of leading cyber professionals were exposed in the latest Iranian-linked breach of IAI’s Elta Systems.
Last month, a few Israeli companies and large corporations fell victim to the Pay2Key ransomware. Also, the Swascan cybersecurity research team disclosed the activities of the ransomware targeting European firms.
In February, ClearSky reported that FoxKitten had previously worked with other Iranian-linked groups, such as OilRig and Shamoon, to provide them with access to vulnerable networks.
Conclusion
Several new ransomware operators are now using innovative tactics to take a big leap into the cybercrime space. Thus, experts suggest taking a backup of important data, using strong passwords, enabling two-factor authentication for RDP servers, and using a reliable anti-malware solution to stay protected.