In the past two months, ClearSky and Profero have linked the operators behind the Pay2Key ransomware to an Iranian-backed group focused on data theft with a ransomware façade. ClearSky details that in November, the operators did not deploy ransomware against Amital and have mostly dealt with victims through extortion of stolen data. The December 18, 2020 report by Clearsky points to domains linked previously by Checkpoint to make the association from Pay2Key to Iran and the speed of deployment when ransomware is used.
Analyst Notes
With now multiple reports coming to light, confidence in the allegation of Pay2Key operators being nation-state actors has gone from medium confidence to medium-high confidence. Patching for the following vulnerabilities would have helped slow down the Pay2Key actors: CVE-2018-13379 (Fortinet), CVE-2019-19781 (Citrix), CVE-2020-5902 (F5 Big-IP). Ingesting logs and implementing continuous monitoring for these appliances, if applicable, is essential as these vulnerabilities have been used widely and rated as critical. The Pay2Key actors have also used Fast Reverse Proxy Client (FRPC.exe) to mask where Command and Control traffic is being sent. If FRPC is not utilized in your environment, having detections in place to catch it will also give defenders an advantage.
ClearSky Report: https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf
Bleeping Computer: https://www.bleepingcomputer.com/news/security/iranian-nation-state-hackers-linked-to-pay2key-ransomware/
