S0556 Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.12
| Item | Value |
|---|---|
| ID | S0556 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 January 2021 |
| Last Modified | 22 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | Pay2Key can encrypt data on victim’s machines using RSA and AES algorithms in order to extort a ransom payment for decryption.12 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Pay2Key has used RSA encrypted communications with C2.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Pay2Key can remove its log file from disk.2 |
| enterprise | T1095 | Non-Application Layer Protocol | Pay2Key has sent its public key to the C2 server over TCP.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.12 |
| enterprise | T1489 | Service Stop | Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.2 |
| enterprise | T1082 | System Information Discovery | Pay2Key has the ability to gather the hostname of the victim machine.2 |
| enterprise | T1016 | System Network Configuration Discovery | Pay2Key can identify the IP and MAC addresses of the compromised host.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0117 | Fox Kitten | 12 |