Security investigators have discovered two waves of ransomware attacks, behind which Iran appears to be targeting Israeli companies. The specific ransomware attacks have been taking place since mid-October, having risen this month targeting more and more Israeli companies. Israeli companies of all sizes have been targeted by hackers using Pay2Key and WannaScream ransomware. Specifically, the hackers violated corporate networks, stole corporate data, encrypted archives and then asked their victims to pay large ransoms to obtain a decryption key.
Ram Levi, Founder and CEO of Konfidas, a consulting firm cyber security based in Israel, told ZDNet that the Pay2Key ransomware gang has added a list of leaks to the dark web where its members are now leaking data they stole from companies that refused to pay the required ransom.
Pay2Key attacks are different from other ransomware companies, as they have repeatedly targeted and "infected" exclusively Israeli companies.
In addition, Omri Segev Moyal, Founder and CEO of the Israeli security company Profero, told ZDNet that attacks on WannaScream ransomware have been detected worldwide, noting that this ransomware is currently available through a Ransomware-as- a-Service (RaaS) model and a gang that hires ransomware from its creators specifically targets Israeli companies.
Profero, one of the Israeli security companies it currently provides services Responding to incidents involving Israeli companies on the list of victims of these attacks, he said he had identified several payments made by Israeli companies to Excoino, an cryptocurrency exchange based in Iran.
Moyal explained that the attacks of both WannaScream and Pay2Key ransomware are not particularly complex. Pay2Key's low level of expertise has allowed researchers to easily track and track the flow Bitcoin.
Profero's findings and the relationship between Pay2Key and a hacker based in Iran were also confirmed by Check Point and a third source. Check Point, which first spotted the wave of Pay2Key ransomware attacks last week, is set to publish a report on its latest findings and Iranian links later in the week. Also, as payments have not been detected in Excoino and for WannaScream attacks, other indicators in the trading process code and ransom also led Moyal and others to believe that behind them was an Iranian entity.
Moyal's assessment that the Pay2Key and WannaScream attacks are not particularly complex and sophisticated has also been confirmed by various security incidents. For example, in previous Pay2Key attacks, C&C (control-and-demand) servers ransomware did not give a decryption key to some of the victims, despite the fact that they paid the ransom they were asked to pay, with the result that the companies could not recover their files. In the case of WannaScream, the ransomware decryptor, errors have occurred in some cases, with the result that victim companies are still unable to recover their data even after paying a ransom.