Pay2Key Ransomware apparently target towards business in Brazil and Israel. It looks for open RDP ports and swiftly spreads in entire network with in one hour. A hybrid of symmetric and asymmetric cryptography is used for encrypting files - using the AES and RSA algorithms. The C&C server generates and transmits an RSA public key at run time. This means that Pay2Key does not encrypt offline and if there is no internet connection or C&C is not available, encryption will not happen. RC4 is used for some cryptographic functions (not for encrypting files). The authors of Pay2Key used a third party implementation (via Windows API). The Network ID from the note (GUID format) is stored as ASCII at the beginning of the file, followed by some metadata as [WORD length] [data], including the original filename.
After completing the infection phase, the victims received a customized ransom note, with a demanding of 7-9 bitcoins (~$110K-$140K). A extension of
.pay2key is added to the encrypted files.
Pay2Key Ransomware Signatures
Family: Ransom:Win32/FileCryptor!MTB
MD5: f3076add8669d1c33cd78b6879e694de
SHA256: 5bae961fec67565fb88c8bcd3841b7090566d8fc12ccb70436b5269456e55c00
Pay2Key Ransomware Download
