Check Point tracks Bitcoin ransom payments from new cyber attack to Iranian nationals
Dubbed Pay2Key, the sophisticated new ransomware encrypts an organization’s entire network in an hour, with 12 Israeli companies so far falling victim
Meir Orbach | 13:35, 12.11.20
Israeli cybersecurity giant Check Point Software Technologies Ltd. revealed a new type of ransomware, dubbed Pay2Key, that has footprints leading to Iran. The attackers have already succeeded in harming several Israeli companies, including a leading law firm and a tech company in the gaming industry. Data on the attacked companies has already made its way to the dark web, with the attackers demanding 7-9 Bitcoin in ransom (approximately $110,000 to $149,000). It is important to note that this is a new type of ransomware, different from the type that was recently used to attack Tower and Sapiens.
Check Point experts determined that the hack was carried out through employees’ remote connection system. “This is a fast and sophisticated type of ransomware that encrypts entire organizational networks within an hour, while threatening to leak large amounts of data belonging to the targeted organizations to the darknet if the ransom isn’t paid,” read a company statement.
Check Point said that in at least three instances the hackers indeed leaked the data of the attacked organizations. Most of the ransomware victims, at least a dozen, are Israeli companies of various sizes.
According to the investigation carried out at Check Point’s labs, four Israeli victims of the Pay2Key attacks have decided to pay the ransom, which enabled its experts to track the payment transfers between crypto wallets. In cooperation with WhiteStream, an Israeli blockchain intelligence company, the researchers were able to follow the Bitcoin money route and found that they all ended up in what appeared to be an Iranian cryptocurrency exchange named Excoino.
According to Check Point, Excoino is an Iranian company that provides secure cryptocurrency transactions services for Iranian citizens, with registration requiring users to have a valid Iranian phone number and ID. Based on the transfer route, the researchers were able to determine that the people behind the ransomware attacks were Iranian nationals.