(ClearSkySec) The ransomware is written in C++. Exceptionally, as other ransomware groups encrypt their ransomware files or at least obfuscate internal strings to make analysis more difficult, Pay2Key executable is unpacked and strings can be seen in clear text.
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
IP:Port | Timestamp |
---|
Domain | Timestamp |
---|
URL | Timestamp |
---|
2022-07-18 by Unit 42 from Palo Alto Networks Unit 42
2021-05-10 by DarkTracer from DarkTracer
2021-05-04 by Trend Micro Research from Twitter (@TrendMicroRSRCH)
2021-02-28 by PWC UK from PWC UK
2021-02-23 by CrowdStrike from CrowdStrike
2020-12-17 by ClearSky Research Team from ClearSky
2020-12-13 by Lawrence Abrams from Bleeping Computer
2020-11-06 by Check Point Research from Checkpoint
2020 by SecureWorks from Secureworks
2019 by MITRE ATT&CK from MITRE
2018-10-25 by Unit42 from Palo Alto Networks Unit 42
2018-09-28 by Adam Meyers from CrowdStrike
2018-09-27 by Counter Threat Unit ResearchTeam from Secureworks
2018-08-30 by Ionut Ilascu from Bleeping Computer
2018-08-02 by Warwick Ashford from ComputerWeekly
2018-01-16 by Yonathan Klijnsma from RiskIQ
2017-11-28 by Yonathan Klijnsma from RiskIQ
2017-11-20 by Ronnie Giagone from Trend Micro
2017-08-15 by Vesta Matveeva from Group-IB
2017-06-01 by Matthew Mesa from Proofpoint
2017-01-05 by Jim Finkle from Reuters
2017 by Positive Technologies from Positive Technologies
2016-11-22 by Zeljka Zorz from Help Net Security
2016-06 by ClearSky Cybersecurity from clearskysec
Tool: Pay2Key
Names: Pay2Key, Cobalt
Description: (ClearSkySec) The ransomware is written in C++. Exceptionally, as other ransomware groups encrypt their ransomware files or at least obfuscate internal strings to make analysis more difficult, Pay2Key executable is unpacked and strings can be seen in clear text.
Category: Malware
Type: Ransomware
Information: https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf
Mitre-attack: https://attack.mitre.org/software/S0556/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key
Last-card-change: 2023-01-01
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1082 SYSTEM INFORMATION DISCOVERY pay2key has the ability to gather the hostname of the victim machine. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY pay2key can identify the ip and mac addresses of the compromised host. | T1573.002 ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY pay2key has used rsa encrypted communications with c2. T1090.001 PROXY : INTERNAL PROXY pay2key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with c2. | T1486 DATA ENCRYPTED FOR IMPACT pay2key can encrypt data on victim's machines using rsa and aes algorithms in order to extort a ransom payment for decryption. T1489 SERVICE STOP pay2key can stop the ms sql service at the end of the encryption process to release files locked by the service. |