Threat Report

PAY2KEY.I2P A sophisticated ransomware-as-a-service operation targeting Western organizations

Threat Overview

Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation, has re-emerged as Pay2Key.I2P. This new variant is specifically targeting Western organizations and is linked to the Fox Kitten APT group. The campaign has collected over $4 million in ransom payments within just four months. The group offers an 80% profit share to affiliates who support Iran or attack its enemies, blending financial motivations with geopolitical objectives.

Pay2Key.I2P employs sophisticated evasion techniques, including anti-analysis checks and obfuscation methods. This makes it difficult for security tools to detect and analyze the malware’s activities. The operation’s strategic marketing on darknet forums and social media platforms indicates a planned rollout, with the addition of Linux-targeted ransomware expanding their attack surface.

Detailed Analysis

Pay2Key.I2P is a sophisticated RaaS operation that provides remote access and encryption capabilities through compromised devices. The malware is designed to evade detection by implementing various anti-analysis techniques, making it challenging for security tools to identify its presence.

The malware connects to a custom command and control (C2) server at a hardcoded URL. This server acts as the central hub for the attacker to send commands to the infected devices and receive data back. The use of a custom C2 server ensures that the communication between the malware and the server is encrypted, making it difficult for security tools to detect and analyze the traffic.

Pay2Key.I2P utilizes advanced obfuscation methods to hide its true intentions and evade detection. These methods include code encryption, string obfuscation, and control flow flattening. By employing these techniques, the malware can bypass traditional signature-based detection mechanisms and remain undetected for extended periods.

The malware has been observed targeting a wide range of organizations across various industries, including finance, healthcare, and government sectors. By compromising these devices, attackers can gain access to sensitive information, disrupt operations, and demand ransom payments in exchange for the decryption keys.

Pay2Key.I2P supports various channel types, including ‘session’ and a non-standard ‘jump’ type. The ‘session’ channel type allows the attacker to establish a remote shell on the infected device, providing direct access to the system. The ‘jump’ channel type is used for reverse-SSH tunneling, allowing the attacker to pivot into other networks after compromising a perimeter device.

The malware also offers TCP tunneling capabilities. TCP tunneling allows the attacker to create a secure tunnel between the infected device and the C2 server, enabling the transfer of data and commands. This capability is particularly useful for attackers who need to exfiltrate data from the compromised network.

Operational Security Measures

While Pay2Key.I2P implements sophisticated evasion techniques, its network communications are distinctive due to its use of advanced obfuscation methods. This makes it easier for security tools to detect and analyze the malware’s traffic over time. Additionally, the use of a hardcoded C2 URL makes it difficult for the malware to adapt to changes in the network environment, potentially exposing the C2 server to detection and takedown.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by Pay2Key.I2P. These include:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help to address known vulnerabilities that can be exploited by malware like Pay2Key.I2P.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to Pay2Key.I2P and other sophisticated malware threats.