Pay2Key

Pay2Key, Cobalt
(Type: Ransomware)

(ClearSkySec) The ransomware is written in C++. Exceptionally, as other ransomware groups encrypt their ransomware files or at least obfuscate internal strings to make analysis more difficult, Pay2Key executable is unpacked and strings can be seen in clear text.

[News Analysis] Trends:

Total Trend: 24

Trend Per Year
2
2016
6
2017
6
2018
1
2019
4
2020
4
2021
1
2022


Trend Per Month
1
Jun 2016
1
Nov 2016
1
2017
1
Jan 2017
1
Jun 2017
1
Aug 2017
2
Nov 2017
1
Jan 2018
2
Aug 2018
2
Sep 2018
1
Oct 2018
1
2019
1
2020
1
Nov 2020
2
Dec 2020
2
Feb 2021
2
May 2021
1
Jul 2022



[News Analysis] News Mention Another Threat Name:

1 - Carbanak7 - Cobalt58 - RansomEXX58 - Avaddon25 - Babuk58 - Clop96 - Conti25 - Cuba58 - DarkSide58 - DoppelPaymer58 - Egregor25 - Hades58 - LockBit96 - Mailto96 - Maze58 - MedusaLocker58 - Mespinoza58 - Mount Locker73 - Nefilim58 - Nemty96 - Pay2Key58 - PwndLocker58 - RagnarLocker58 - Ragnarok96 - REvil58 - Sekhmet58 - SunCrypt25 - ThunderX53 - elf.wellmess53 - FlowerPower53 - PowGoop53 - 8.t Dropper53 - Agent.BTZ53 - Agent Tesla53 - Appleseed53 - Ave Maria53 - Bankshot92 - BazarBackdoor53 - BLINDINGCAN53 - Chinoxy53 - Cotx RAT53 - Crimson RAT53 - DUSTMAN92 - Emotet53 - FriedEx53 - FunnyDream92 - Hakbit53 - METALJACK53 - Oblique RAT92 - PlugX92 - QakBot92 - Ryuk53 - StoneDrill53 - StrongPity92 - SUNBURST53 - SUPERNOVA92 - TrickBot53 - TurlaRPC53 - Turla SilentMoon92 - WastedLocker53 - WellMess92 - Winnti53 - ZeroCleare53 - APT1053 - APT2353 - APT2753 - APT3153 - APT4153 - BlackTech53 - BRONZE EDGEWOOD53 - Inception Framework53 - MUSTANG PANDA53 - Red Charon53 - Red Nue53 - Sea Turtle53 - Tonto Team53 - Amadey53 - Anchor58 - Cobalt Strike53 - Cutwail53 - DanaBot53 - Dridex53 - IcedID53 - JSOutProx53 - KerrDown53 - NedDnLoader53 - Pushdo53 - PyXie53 - Quasar RAT53 - ShadowPad53 - SmokeLoader53 - Snake53 - TEARDROP53 - Zloader53 - KNOCKOUT SPIDER53 - OUTLAW SPIDER53 - RIDDLE SPIDER53 - SOLAR SPIDER53 - VIKING SPIDER5 - More_eggs5 - ATMSpitter5 - CobInt5 - MimiKatz1 - FIN7


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
0/36
persistence
0/113
privilege escalation
0/96
defense evasion
1/184
credential access
0/63
discovery
2/44
lateral movement
0/22
collection
0/37
command and control
3/39
exfiltration
0/18
impact
2/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1070.004
Indicator Removal : File Deletion
T1082
System Information Discovery
T1016
System Network Configuration Discovery
T1573.002
Encrypted Channel : Asymmetric Cryptography
T1095
Non-application Layer Protocol
T1090.001
Proxy : Internal Proxy
T1486
Data Encrypted For Impact
T1489
Service Stop


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Article (Credit @Malpedia)

Mule Libra

2022-07-18 by Unit 42 from Palo Alto Networks Unit 42

Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb

2021-05-10 by DarkTracer from DarkTracer

Tweet on N3tw0rm ransomware, that has started affecting users in Israel.

2021-05-04 by Trend Micro Research from Twitter (@TrendMicroRSRCH)

Cyber Threats 2020: A Year in Retrospect

2021-02-28 by PWC UK from PWC UK

2021 Global Threat Report

2021-02-23 by CrowdStrike from CrowdStrike

Pay2Kitten: Pay2Key Ransomware - A New Campaign by Fox Kitten

2020-12-17 by ClearSky Research Team from ClearSky

Intel's Habana Labs hacked by Pay2Key ransomware, data stolen

2020-12-13 by Lawrence Abrams from Bleeping Computer

Ransomware Alert: Pay2Key

2020-11-06 by Check Point Research from Checkpoint

GOLD KINGSWOOD

2020 by SecureWorks from Secureworks

Group description: Cobalt Group

2019 by MITRE ATT&CK from MITRE

New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed

2018-10-25 by Unit42 from Palo Alto Networks Unit 42

Meet CrowdStrike’s Adversary of the Month for September: COBALT SPIDER

2018-09-28 by Adam Meyers from CrowdStrike

Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish

2018-09-27 by Counter Threat Unit ResearchTeam from Secureworks

Cobalt Hacking Group Tests Banks In Russia and Romania

2018-08-30 by Ionut Ilascu from Bleeping Computer

Three Carbanak cyber heist gang members arrested

2018-08-02 by Warwick Ashford from ComputerWeekly

First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks

2018-01-16 by Yonathan Klijnsma from RiskIQ

Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions

2017-11-28 by Yonathan Klijnsma from RiskIQ

Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks

2017-11-20 by Ronnie Giagone from Trend Micro

Secrets of Cobalt

2017-08-15 by Vesta Matveeva from Group-IB

Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions

2017-06-01 by Matthew Mesa from Proofpoint

Taiwan ATM heist linked to European hacking spree: security firm

2017-01-05 by Jim Finkle from Reuters

COBALT STRIKES BACK: AN EVOLVING MULTINATIONAL THREAT TO FINANCE

2017 by Positive Technologies from Positive Technologies

Cobalt hackers executed massive, synchronized ATM heists across Europe, Russia

2016-11-22 by Zeljka Zorz from Help Net Security

Operation DustySky Part 2

2016-06 by ClearSky Cybersecurity from clearskysec

Basic Information (Credit @etda.or.th)

Tool: Pay2Key

Names: Pay2Key, Cobalt

Description: (ClearSkySec) The ransomware is written in C++. Exceptionally, as other ransomware groups encrypt their ransomware files or at least obfuscate internal strings to make analysis more difficult, Pay2Key executable is unpacked and strings can be seen in clear text.

Category: Malware

Type: Ransomware

Information: https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf

Mitre-attack: https://attack.mitre.org/software/S0556/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key

Last-card-change: 2023-01-01

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1070.004
INDICATOR REMOVAL : FILE DELETION
pay2key can remove its log file from disk.
T1082
SYSTEM INFORMATION DISCOVERY
pay2key has the ability to gather the hostname of the victim machine.
T1016
SYSTEM NETWORK CONFIGURATION DISCOVERY
pay2key can identify the ip and mac addresses of the compromised host.
T1573.002
ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY
pay2key has used rsa encrypted communications with c2.
T1095
NON-APPLICATION LAYER PROTOCOL
pay2key has sent its public key to the c2 server over tcp.
T1090.001
PROXY : INTERNAL PROXY
pay2key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with c2.
T1486
DATA ENCRYPTED FOR IMPACT
pay2key can encrypt data on victim's machines using rsa and aes algorithms in order to extort a ransom payment for decryption.
T1489
SERVICE STOP
pay2key can stop the ms sql service at the end of the encryption process to release files locked by the service.