Pay2Key (ransomware virus)

Main article: Ransomware ransomware ransomware viruses (ransomware)

2025: Attacks on Russian companies in the areas of retail, finance, IT and construction

The company, a F6 developer of technologies to combat, cyber crime announced attacks programs extortioners a Pay2Key the Russian on the organization on July 31, 2025. In the spring of 2025, at least three campaigns were recorded aimed at Russian organizations in the areas,, and. retail finance IT constructions

According to to data analysts from the Cyber ​ ​ Intelligence Department (Threat Intelligence) F6, the ransomware service is Pay2Key distributed on cybercriminal Russian-language forums using the RaaS (Ransomware as a Service) model since the end of February 2025. Despite the ban on many shadow sites from attacking Russian users, attackers used ransomware to attack targets in. Russia Thus, the F6 MXDR system detected and blocked mailings related to at least three phishing campaigns that targeted Russian users. The March and May campaigns were aimed at retail, construction and development organizations, and the finance software sector became the target of the April attack.

The topics of the malicious emails ranged from a commercial offer and proof of credentials to a "barbed wire fence" and a "monument for a well memorial complex."

In addition to phishing mailings, self-extracting archives, legitimate tools and advanced ways to bypass anti-virus protection were found in the arsenal of attackers. The malware itself Pay2Key built on the basis of Mimic, a HPE family with one of the most complex encryption schemes that is actively used to attack Russian small businesses.

On one of the shadow forums, the service partners were promised an average monthly earnings of 1.5 million rubles. There are already cases when participants in a cybercriminal project demanded a ransom for restoring access - an average of about 170 thousand rubles.

The number of attacks on Russian companies using ransomware is constantly growing, while the number of groups is also growing. More and more ads about the creation of RaaS services appear on shadow Russian-language forums, and groups are increasingly moving away from the unspoken rule not to attack organizations in the CIS. By increasing competition in the shadow market, attackers are constantly trying to refine and make their project unique in order to attract even more potential partners. We believe that in the near future we will see even more RaaS projects attacking Russian companies, "said Artur Bulgakov, an analyst at the Threat Intelligence cyber attack research department at F6.

2020: The first ransomware attacks

The ransomware is Pay2Key able to encrypt corporate networks in just an hour. This became known on November 10, 2020.

A number of companies and large corporations Israel in became victims cyber attacks using this ransomware ON called Pay2Key. The first attacks were recorded by specialists from the company Check Point at the end of October 2020, and now their number has increased.

According to experts, criminals usually carry out attacks after midnight, when companies have fewer IT employees. The Pay2Key malware presumably penetrates the network of organizations through a weakly secure RDP connection (remote desktop protocol). Attackers gain access to corporate networks "some time before the attack," and malware can encrypt the victim's network in an hour.

Having penetrated the local network, hackers install a proxy server on one of the devices to ensure that all copies of the malware communicate with the C&C server. The payload (Cobalt.Client.exe) is launched remotely using the legitimate PsExec utility.

Numerous compilation artifacts indicate that the ransomware has another name - Cobalt. Although the identity of the attackers remains unknown, the wording in various lines of code written in broken English suggests that the attacker is not a native English speaker.

This ransomware is written in C++. It encrypts files with the AES key, and uses RSA keys to communicate with the C&C server. In the same way, the Pay2Key receives a configuration file with a list of extensions for encryption, a ransom message template, etc.

After the encryption is completed, ransom notes remain in the hacked systems. The Pay2Key group usually requires a ransom in the amount of 7 to 9 bitcoins (about $110 to $140 thousand). The encryption scheme for criminals looks reliable (using AES and RSA algorithms), and, unfortunately, experts have not yet been able to develop a free version of the decoder for victims^[1].

Notes