Iranian hackers target Israeli firms in ‘double extortion’ ransomware attack
Iranian hackers were behind the Pay2Key ransomware attack on dozens of Israeli companies last week, according to the Israeli cyber security firm Check Point, which worked with the Israeli blockchain intelligence firm Whitestream to discover the source of the attack.
From each of the companies that fell prey to the attack, the hackers demanded payment of seven to nine bitcoins, worth some $111,000-$141,000.
Check Point reported that after four of the firms decided to pay the ransom to release their data, it tracked the bitcoin transactions carried out by the hackers and identified them as Iranian.
The tracing process began with the addresses of the bitcoin wallets to which the victims were instructed to send their ransom payments. Eventually, the transactions wound up in wallets belonging to Excoino, an Iranian entity that supplies secure business services in cryptocurrency.
Excoino only works with Iranian citizens. To sign up for the service, a potential user must have a valid Iranian phone number as well as an Iranian identity number. The service also demands a copy of the account holder’s ID, as well, all of which led Check Point to the conclusion that the hackers were Iranians.
Check Point explained that this latest attack used the “double extortion” method on its victims, a new development in ransomware attacks. In the double extortion model, hackers not only encode a company’s data, blocking access to it, they also threaten to steal data and leak it if their demands for payment are not met.
To show what can happen when companies do not comply with their demands, the operators of the Pay2Key scam created a dedicated website on which they post content stolen from companies who refused to pay them. These include three Israeli companies.