Skip to content

S0556 Pay2Key

Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.12

Item Value
ID S0556
Associated Names
Version 1.0
Created 04 January 2021
Last Modified 22 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact Pay2Key can encrypt data on victim’s machines using RSA and AES algorithms in order to extort a ransom payment for decryption.12
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Pay2Key has used RSA encrypted communications with C2.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Pay2Key can remove its log file from disk.2
enterprise T1095 Non-Application Layer Protocol Pay2Key has sent its public key to the C2 server over TCP.2
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.12
enterprise T1489 Service Stop Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.2
enterprise T1082 System Information Discovery Pay2Key has the ability to gather the hostname of the victim machine.2
enterprise T1016 System Network Configuration Discovery Pay2Key can identify the IP and MAC addresses of the compromised host.2

Groups That Use This Software

ID Name References
G0117 Fox Kitten 12