A new wave of cyberattacks employing the Pay2Key ransomware has intensified concerns about state-sponsored hacking groups adopting ransomware-as-a-service (RaaS) models to amplify their reach.
Security firms ClearSky and Check Point Research have identified at least two dozen Israeli companies targeted since October 2024, with forensic evidence linking the campaign to Fox Kitten, an Iranian advanced persistent threat (APT) group historically focused on espionage.
Alleged Promotion of Pay2Key Ransomware-as-a-Service (RaaS)
The Pay2Key campaign exhibits operational hallmarks suggesting a shift toward RaaS frameworks, where developers license ransomware tools to affiliates for a share of profits.
While no explicit RaaS advertisements for Pay2Key have surfaced, its infrastructure overlaps with Fox Kitten’s historical partnerships with groups like OilRig and Shamoon.
ClearSky researchers note the attackers’ use of third-party penetration teams and darknet marketplace collaborations—a pattern consistent with RaaS ecosystems that separate malware development from frontline attacks.
Key evidence includes:
- Affiliate Communication Channels: Operators created a KeyBase.io account in June 2024 to negotiate ransoms, a tactic mirroring RaaS groups that manage multiple affiliates.
- Scalable Attack Infrastructure: The ransomware uses Windows PsExec for rapid lateral movement, enabling non-technical actors to deploy it across compromised networks.
- Profit-Sharing Mechanisms: Fox Kitten’s recent foray into selling network access on underground forums aligns with RaaS operators monetizing access for secondary attacks.
Technical Analysis of Pay2Key’s Attack Chain
The ransomware employs hybrid encryption (RSA-2048 and AES-256) to lock files, coupled with multi-stage extortion tactics.
Attackers first exploit vulnerable Remote Desktop Protocol (RDP) interfaces or VPN flaws—a signature Fox Kitten technique—before mapping networks for weeks to maximize encryption impact.
Key capabilities:
- Persistence Mechanisms: Modifies registry keys and deploys custom scripts to disable endpoint detection tools.
- Double Extortion: Threatens to leak stolen data on Telegram, Twitter, and darknet sites unless ransoms (7–9 BTC, ~$140,000) are paid.
- Supply Chain Focus: Targets IT service providers to compromise downstream clients, a strategy elevating collateral damage.
Check Point’s analysis reveals the malware is written in C++ with no code overlaps to known strains, suggesting bespoke development for high-value targets.
However, its rapid deployment cycle—encrypting networks within one hour—indicates optimization for affiliate use cases.
Geopolitical Context and Implications
The attacks coincide with escalating Iran- Israel tensions following the 2024 assassination of an Iranian nuclear scientist.
ClearSky assesses Pay2Key’s primary objective as disruption rather than profit, noting encrypted data often remains unrecoverable even after ransoms are paid.
This aligns with Tehran’s strategy of using cyber operations as asymmetric retaliation while maintaining plausible deniability through RaaS-style outsourcing.
Security analysts warn that blending APT-grade tradecraft with RaaS models creates unprecedented risks.
As Fox Kitten monetizes network access, smaller criminal groups could weaponize these footholds for independent ransomware strikes—a convergence threatening global critical infrastructure.
Mitigation efforts require patching RDP/VPN vulnerabilities, segmenting networks, and monitoring for PsExec abuse.
With Pay2Key’s operators still expanding their target list, organizations must prepare for hybrid threats merging nation-state precision with criminal scalability.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Security firms ClearSky and Check Point Research have identified at least two dozen Israeli companies targeted.){kind=link}