Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.[1][2] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography | |
| Enterprise | T1486 | 数据加密以实现影响 |
Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.[1][2] |
|
| Enterprise | T1489 | 服务停止 |
Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.[2] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
Pay2Key has the ability to gather the hostname of the victim machine.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Pay2Key can identify the IP and MAC addresses of the compromised host.[2] |
|
| Enterprise | T1095 | 非应用层协议 |
Pay2Key has sent its public key to the C2 server over TCP.[2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0117 | Fox Kitten |