Pay2Key Ransomware apparently target towards business in Brazil and Israel. It looks for open RDP ports and swiftly spreads in entire network with in one hour. A hybrid of symmetric and asymmetric cryptography is used for encrypting files - using the AES and RSA algorithms. The C&C server generates and transmits an RSA public key at run time. This means that Pay2Key does not encrypt offline and if there is no internet connection or C&C is not available, encryption will not happen. RC4 is used for some cryptographic functions (not for encrypting files). The authors of Pay2Key used a third party implementation (via Windows API). The Network ID from the note (GUID format) is stored as ASCII at the beginning of the file, followed by some metadata as [WORD length] [data], including the original filename.
After completing the infection phase, the victims received a customized ransom note, with a demanding of 7-9 bitcoins (~$110K-$140K). A extension of .pay2key
is added to the encrypted files.
Pay2Key Ransomware Signatures
Pay2Key Ransomware Download