Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[1][2]

ID: S0556
Platforms: Windows
Version: 1.0
Created: 04 January 2021
Last Modified: 22 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.[1][2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Pay2Key has used RSA encrypted communications with C2.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

Pay2Key can remove its log file from disk.[2]

Enterprise T1095 Non-Application Layer Protocol

Pay2Key has sent its public key to the C2 server over TCP.[2]

Enterprise T1090 .001 Proxy: Internal Proxy

Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.[1][2]

Enterprise T1489 Service Stop

Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.[2]

Enterprise T1082 System Information Discovery

Pay2Key has the ability to gather the hostname of the victim machine.[2]

Enterprise T1016 System Network Configuration Discovery

Pay2Key can identify the IP and MAC addresses of the compromised host.[2]

Groups That Use This Software

ID Name References
G0117 Fox Kitten