{
	"id": "bf02c64c-ccb2-43f2-bc14-92edac54ab28",
	"created_at": "2026-04-06T00:21:19.882661Z",
	"updated_at": "2026-04-10T13:12:33.614683Z",
	"deleted_at": null,
	"sha1_hash": "1b97889b7b9c89d7bed71413db8fe7b8ec3f8860",
	"title": "Pay2Key Ransomware Alert - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97441,
	"plain_text": "Pay2Key Ransomware Alert - Check Point Research\r\nBy stcpresearch\r\nPublished: 2020-11-06 · Archived: 2026-04-05 17:07:43 UTC\r\nIntroduction\r\nOver the past week, an exceptional number of Israeli companies reported ransomware attacks. While some of the attacks\r\nwere carried out by known ransomware strands like REvil and Ryuk, several large corporations experienced a full blown\r\nattack with a previously unknown ransomware variant names Pay2Key.\r\nAs days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware. The attacker\r\nfollowed the same procedure to gain a foothold, propagate and remotely control the infection within the compromised\r\ncompanies.\r\nThe investigation so far indicates the attacker may have gained access to the organizations’ networks some time before the\r\nattack, but presented an ability to make a rapid move of spreading the ransomware within an hour to the entire\r\nnetwork. After completing the infection phase, the victims received a customized ransom note, with a relatively low\r\ndemand of 7-9 bitcoins (~$110K-$140K).\r\nThe full scope of these attacks is still unraveling and is under investigation; but we, at Check Point Research and the\r\nIncident Response teams, would like to offer our initial analysis of this new ransomware variant, as well as to provide\r\nrelevant IOC’s to help mitigate possible ongoing attacks.\r\nKey findings:\r\n1. Previously unknown ransomware dubbed Pay2Key, carries targeted attacks against Israeli companies\r\n2. Initial infection is presumably made through RDP connection\r\n3. Lateral movement is made using psexec.exe to execute the ransomware on the different machines within the\r\norganization.\r\n4. Special attention was given to the design of the network communication, in order to reduce the noise a large number\r\nof encrypted machines may generate while contacting the Command and Control servers.\r\n5. The encryption scheme is solid – using the AES and RSA algorithms.\r\nAttacks Timeline\r\nDuring the last days, we were able to obtain bits and pieces of information as well as various forensics artifacts from Israeli\r\nIncident Response teams, indicating that a new ransomware strain is being deployed against Israeli corporations (perhaps\r\nexclusively).\r\nCombining these elements, we were able to bring together a partial image of the attacks as they unfolded:\r\n2020-06-28 – The attacker created a KeyBase account by the name of “pay2key”\r\n2020-10-26 – First ransomware sample compilation date\r\n2020-10-27 – Second ransomware sample compilation date\r\n2020-10-27 – First Pay2Key sample uploaded to VT and compiled on the same day – may indicate its first\r\nappearance in the wild.\r\n2020-10-28 – Second ransomware sample uploaded to VT – Indicating a possible attacked organization.\r\n2020-11-01 – Third sample compilation date\r\n2020-11-01 – The first reported attack (Sunday; working day in Israel)\r\n2020-11-02 – The second reported attack\r\nThe Pay2Key propagation appears to be conducted as follows:\r\n1. Right after midnight, the attackers connected to a machine on the targeted network most probably via RDP.\r\n2. A machine is defined as Pivot / Proxy point within the network, likely by using a program named “ConnectPC.exe”.\r\nAll outgoing communication between all ransomware processes within the network and the attacker’s C\u0026C server\r\nwill be going through this proxy from this point on.\r\n3. The attacker used psexec.exe to execute “Cobalt.Client.exe”, which is the Pay2Key ransomware itself, on different\r\nmachines within the organization.\r\nNew Ransomware\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 1 of 13\n\nAnalyzing Pay2Key ransomware operation, we were unable to correlate it to any other existing ransomware strain, and it\r\nappears to be developed from scratch.\r\nOnly a single engine on VirusTotal detected the uploaded ransomware samples as malicious, even though the ransomware\r\ndoes not use a Packer or protection of any kind, to hide its internal functionality.\r\nNumerous compilation artifacts point to the fact that internally, this ransomware is in fact named Cobalt (not to be confused\r\nwith Cobalt Strike).\r\nWhile the identity of the attacker is unknown, inconsistent English wording within the various strings found in the code, as\r\nwell as the ones we observed in the Log file, suggests that the attacker is not a native English speaker.\r\nRansom Demand\r\nAfter successful encryption, the ransomware drops a ransom note to the system, customized to the targeted corporation in\r\nthe form of [ORGANIZATION]_MESSAGE.TXT . The ransom amount ranges between 7 and 9 Bitcoins, among the ransom notes\r\nwe observed.\r\nFigure 1: Pay2Key ransom note – even the ASCII-art is customized per organization\r\nWorth mentioning, that although the ransom note informs the victims for data breach, like other double extortion\r\nransomwares do, we have yet to find any evidence that supports it.\r\nPay2Key\r\nOne interesting thing to note is that the Keybase account used by the attacker to chat with their victims has the same logo of\r\nthe Pay2Key EOSIO smart contract system. A possible explanation is the fact that when searching “pay2key” in Google\r\nimages, this is the first result.\r\nFigure 2: Pay2Key Keybase.io profile\r\nTechnical Analysis\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 2 of 13\n\nInitial Access\r\nOur analysis of the attack by Pay2Key focused on the binary of the ransomware itself since some of the previous stages in\r\nthe attack were not accessible to us. The attack, as we mentioned earlier, started by manually accessing one of the machines\r\non the victim’s network, likely via RDP. The attacker copied and created multiple files on the machine, including:\r\nCobalt.Client.exe – Pay2Key ransomware\r\nConfig.ini – A configuration file that specifies “Server” and “Port”\r\nConnectPC.exe – Pivot / Proxy server\r\nAfter the creation of these files on the infected machine, the attackers execute ConnectPC.exe . Then, they copied or\r\ndownloaded the PsExec utility and used it to remotely execute the ransomware on other machines in the organization. In\r\norder to work properly, the ransomware requires a config file to be located in the same working directory. Thus,\r\nConfig.ini is required to be dropped in the victim’s computer along with Cobalt.Client.exe . In the cases we’ve seen,\r\nthe Pay2Key ransomware was executed from paths of this template: C:\\Windows\\Temp\\[organization-name]tmp\\Cobalt.Client.exe\r\nConfiguration\r\nThe artifacts we were able to put our hands on are the ransomware, Cobalt.Client.exe , and the configuration file. The\r\nconfiguration file is a very simple INI file that contained two entries — Server and Port. To our surprise, the Server wasn’t\r\nan external command and control server, but rather the IP of the initial infected machine. Thus, we believe that the original\r\nmachine was using ConnectPC.exe as a utility to relay communication from victims inside the organization to the external\r\ncontrol server. This approach increases the chance that the different machines will be able to communicate because internal\r\ncommunication is more likely to be allowed. It also decreases the chances that the address of the command and control will\r\nbe revealed by analysts as there is only one machine in the organization that knows of it.\r\nThe configuration file that was used in the attack looked like this:\r\nServer = \u003cinternal IP address\u003e\r\n[Config] Server = \u003cinternal IP address\u003e Port = 5050\r\n[Config]\r\nServer = \u003cinternal IP address\u003e\r\nPort = 5050\r\nIf the ransomware was executed with --config [path] as a command-line argument, it will read the configuration file\r\nfrom the path specified in the argument.\r\nThe Ransomware\r\nThe Pay2Key ransomware is written in C++ and compiled using MSVC++ 2015. It heavily relies on Object-Oriented\r\nProgramming and uses well-designed classes for its operation. It also makes use of 3rd-party libraries like the popular\r\nlibraries of Boost. Luckily, the ransomware was not stripped and it contained a decent amount of debug logs as well as rich\r\nRTTI information.\r\nPE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-]\r\nPE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32,console]\r\n$ rabin2 -I Cobalt.Client.exe | grep \"compiled\\|pdb\"\r\ncompiled Mon Oct 26 12:37:49 2020\r\ndbg_file F:\\2-Sources\\21-FinalCobalt\\Source\\cobalt\\Cobalt\\Cobalt\\Win32\\Release\\Client\\Cobalt.Client.pdb\r\n$ diec Cobalt.Client.exe PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-] PE: linker: Microsoft Linker(14.0, Visual\r\nStudio 2015 14.0*)[EXE32,console] $ rabin2 -I Cobalt.Client.exe | grep \"compiled\\|pdb\" compiled Mon Oct 26 12:37:49\r\n2020 dbg_file F:\\2-Sources\\21-FinalCobalt\\Source\\cobalt\\Cobalt\\Cobalt\\Win32\\Release\\Client\\Cobalt.Client.pdb\r\n$ diec Cobalt.Client.exe\r\nPE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-]\r\nPE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32,console]\r\n$ rabin2 -I Cobalt.Client.exe | grep \"compiled\\|pdb\"\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 3 of 13\n\ncompiled Mon Oct 26 12:37:49 2020\r\ndbg_file F:\\2-Sources\\21-FinalCobalt\\Source\\cobalt\\Cobalt\\Cobalt\\Win32\\Release\\Client\\Cobalt.Client.pdb\r\nUpon execution, Pay2Key is reading the Server and Port keys from the configuration file. If a configuration file was not\r\nfound in the current working directory and wasn’t supplied in the command line arguments, the ransomware will write “no\r\nconfig file found” to a file at .\\Cobalt-Client-log.txt . This log file will be used extensively by the ransomware during\r\nits execution. Newer versions of the ransomware are making sure to remove this log file from the disk. The full list of\r\nsupported log messages can be found in the appendix section of this article.\r\nIt then initializes the main class of the program, Cobalt::DataProcessing::RansomwareEngine , followed by initialization of\r\nother important classes that are responsible, among other things, for communication, message handling, managing files and\r\nencryption.\r\nPay2Key generates a pair of RSA keys and sends the public key to the server over raw TCP. The keys will be used to set up\r\nsecure communication between the ransomware and the server. After sending the key, the ransomware will wait for\r\nmessages from the server. These messages are parsed and handled by a custom Message Handler.\r\nSupported Messages\r\nMessage_ID Message_Name Notes\r\n0 PublicKey Receive the server’s public key\r\n1 Identification\r\nSend to the server the IP address, the MAC address and the\r\nhostname.\r\n2 Config\r\nReceive a configuration from the server. The configuration is a\r\nvery important aspect in the ransomware as it contains valuable\r\ninformation such as a list of file extensions to encrypt, the name\r\nof the victim’s organization, the ransom note, the extension of\r\nthe encrypted file, and more.\r\n3 ExceptionMessage  \r\n4 SessionKey Receive unique session key from the server\r\n5 JobFinished Announce that the encryption job is finished\r\n6 Abort Stop the execution\r\n7 GetClientList N/A\r\n8 ClientList N/A\r\n9 GetClientInformation\r\nSend, upon request, status of different tasks like the encryption\r\ntask.\r\n10 ClientInformation Send status of different tasks like the encryption task.\r\n11 Acknowledge  \r\n12 GetIdentification\r\nSend to the server, upon request, the IP address, the MAC\r\naddress and the hostname.\r\n13 None N/A\r\nThe ransomware uses dedicated classes to handle different messages. We noticed some of these handlers and message types\r\nare not implemented in the binaries we have, and some of them aren’t even checked by the message handler manager. This is\r\nanother indication that the ransomware is under active development. The missing messages, perhaps, can be part of code that\r\nis now removed, or alternatively — code that wasn’t implemented yet.\r\nDuring the reverse engineering process of the ransomware samples, we utilized the fact they contain rich RTTI data. Such\r\ninformation helps us understand the role of different pieces of the code and the relationship between them. With the help of\r\nCutter, we were able to inspect the different classes elegantly.\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 4 of 13\n\nFigure 3: RTTI is parsed By Cutter and shown in the Classes window\r\nThe most interesting message type is “Config” as it contains information that the ransomware use during the infection.\r\nAnalyzing the ransomware without the information from this message results in constant fallbacks to default configurations.\r\nAmong other things, the configuration message contains the list of file extensions to encrypt, the file extension for encrypted\r\nfiles (default .enc ), the name for the ransom note file (default to “salam” as in SALAM_MESSAGE.TXT ), and the ransom note.\r\nIt is interesting to mention, that both the file name and the ransom note specified the name of the infected organization. The\r\nattackers even went all the way to generate an ASCII-Art with the name of the infected organization. The file name of the\r\nransom note from the config will have the following template [ORGANIZATION]_MESSAGE.TXT . In the incidents we analyzed,\r\nthe extension that was received from the server was .pay2key , but it could have been anything else as the ransomware is\r\nflexible enough.\r\nAt the end of the encryption process, Pay2Key will also terminate the MS SQL service using the following command net\r\nstop mssqlserver \u003e nul in order to release the files locked by the service. It might also replace the wallpaper of the victim,\r\nbut we did not see this happening on the machines we analyzed.\r\nEvolution\r\nWe analyzed multiple samples in a small period of time and we noticed several improvements in them. This means that\r\nPay2Key is under active development and the developers update it with more features. For example, in the latest version of\r\nthe ransomware, we noticed that the attackers added a Self Killing mechanism, in addition to a new command-line argument\r\n--noreboot .\r\nThe new “housekeeping” mechanism is responsible for removing the files created by the attacker and restarting the machine.\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 5 of 13\n\nFigure 4: The function that is responsible for removing the ransomware and its files and restarting the system\r\nEncryption\r\nAs standard for ransomware, a hybrid of symmetric and asymmetric cryptography is used for file encryption — using the\r\nAES and RSA algorithms. The C2 server supplies an RSA public key at runtime during communication. This implies that\r\nthis ransomware doesn’t encrypt offline – if there’s no internet connection, or the C2 is down, then no encryption will occur.\r\nRecent years have seen some ransomware that aggressively use cryptographic primitives to put the onus of creating\r\nsuccessful contact with the operations on the victim (e.g. by embedding the server public key in the executable), and at the\r\ntime this was considered a technical improvement, but evidently the authors here prefer the classic flavor.\r\nFigure 5: A symmetric RC4 key is generated and encrypted using an RSA public key.\r\nOne unusual thing to point out is the use of RC4 for some (not all) of its cryptographic functions. RC4 is a stream cipher,\r\nand is easier to misuse in catastrophic ways; it is usually popular among malware authors for its ease of implementation, but\r\nhere the authors actually used a third party implementation (via the Windows API). This may be the first ever time we’ve\r\nseen malware authors essentially say “we have the whole world of cryptography at our fingertips, third party libraries for\r\neverything, powerful symmetric crypto as far as the eye can see. Let’s pick… RC4”. But, again, for this to really matter\r\nwould require some sort of subtle error when invoking the cipher, and we were not able to pinpoint one.\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 6 of 13\n\nFigure 6: The malware attempts to access a user key in the “pippo container”, and generates a new one if it is\r\nnot there.\r\nAnother curiosity is the malware’s use of a custom-named key container named pippo container . Other ransomware\r\npretty much universally set a null value for the szContainer parameter, which defaults to a new key container — then\r\nperforms all cryptographic operations with the context still open. It’s a piece of boilerplate code, a standard ransomware\r\nbuilding block that is known to work and cybercriminals therefore copy, paste and forget; the fact that the authors did not\r\nuse it outright is evidence for some amount of unhealthy curiosity about the windows cryptographic API and its capabilities.\r\nFigure 7: An AES key is derived from a hash value.\r\nOne final deviation from the “classic” ransomware formula is the use of CryptDeriveKey on a hashed value in order to\r\nderive an AES key (instead of the traditional CryptGenKey ). If the hash values were derived deterministically then the\r\nresulting key could be reconstructed, but some element of randomness in the hash (or any other number of possible separate\r\ntweaks on the client or server side) could render this approach viable. Still, we can’t repeat enough that when it comes to\r\ncryptography, reinventing the wheel is not advised.\r\nConclusion\r\nWhile the attack is still under investigation, the recent Pay2Key ransomware attacks indicate a new threat actor is joining the\r\ntrend of targeted ransomware attacks – presenting well designed operation to maximize damage and minimize exposure.\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 7 of 13\n\nThe attack was observed targeting the Israeli private sector so far, but looking at the presented tactics, techniques, and\r\nprocedures we see a potent actor who has no technical reason to limit his targets list to Israel. The incidents are still under\r\ninvestigation, and we will update this blogpost with new findings if any new findings come to light.\r\nCheck Point’s Anti-Ransomware solution defends organizations against the most sophisticated ransomware attacks, and\r\nsafely recovers encrypted data, ensuring business continuity and productivity. Anti-Ransomware is offered as part of Check\r\nPoint’s comprehensive endpoint security suite, SandBlast Agent, to deliver real-time threat prevention to your organization’s\r\nendpoints.\r\nAcknowledgments\r\nWe would like to thank the researchers from Claroty Research for their assistance and collaboration during this research.\r\nCheck Point Protections\r\nThreat Cloud Protections:\r\nRansomware.Win32.Pay2Key.TC.a\r\nRansomware.Win32.Pay2Key.TC.b\r\nThreat Emulation Protections:\r\nTrojan.Wins.Cobalt.F\r\nAppendix\r\nIndicators of Compromise\r\nHashes\r\nSHA256 MD5\r\n5BAE961FEC67565FB88C8BCD3841B7090566D8FC12CCB70436B5269456E55C00 F3076ADD8669D1C33CD78B6879E694DE\r\nEA7ED9BB14A7BDA590CF3FF81C8C37703A028C4FDB4599B6A283D68FDCB2613F 4E615861B6D7D778FDC1AC2A61148FE9\r\nD2B612729D0C106CB5B0434E3D5DE1A5DC9D065D276D51A3FB25A08F39E18467 7DB5DD6F2231DA6EB07D907312B1ABE9\r\nClasses\r\nList of Classes retrieved from Cutter based on RTTI information in the binary:\r\nCobalt::Common::IDecryptor\r\nCobalt::Common::IDirectory\r\nCobalt::Common::IEncryptor\r\nCobalt::Common::IException\r\nCobalt::Common::IExceptionFactory\r\nCobalt::Common::IFileMatcher\r\nCobalt::DataAccess::IFileReader\r\nCobalt::DataAccess::IFileWriter\r\nCobalt::DataAccess::ISystemFileManager\r\nCobalt::DataAccess::IWindowsDrive\r\nCobalt::Peripheral::IPeripheralConnection\r\nCobalt::Common::MyselfKiller\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 8 of 13\n\nCobalt::Common::CommonExceptionFactory, Base Classes: : Cobalt::Common::IExceptionFactory\r\nCobalt::Communication::AbortMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::AcknowledgeMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::ClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::ConfigurationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::ExceptionMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage, Cobalt::Common::IException\r\nCobalt::Communication::ExceptionMessage_1, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage, Cobalt::Common::IException\r\nCobalt::Communication::GetClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::GetIdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::IMessageExtractor\r\nCobalt::Communication::IMessageFactory\r\nCobalt::Communication::IMessagePackager\r\nCobalt::Communication::ISerializableMessage\r\nCobalt::Communication::IdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::JobFinishedMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::MessageExtractor, Base Classes: : Cobalt::Communication::IMessageExtractor\r\nCobalt::Communication::MessageFactory, Base Classes: : Cobalt::Communication::IMessageFactory\r\nCobalt::Communication::MessagePackager, Base Classes: : Cobalt::Communication::IMessagePackager\r\nCobalt::Communication::PublicKeyMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::SessionKey, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage\r\nCobalt::DataAccess::BasicFileReader, Base Classes: : Cobalt::DataAccess::IFileReader\r\nCobalt::DataAccess::BasicFileWriter, Base Classes: : Cobalt::DataAccess::IFileWriter\r\nCobalt::DataAccess::WindowsDirectory, Base Classes: : Cobalt::Common::IDirectory\r\nCobalt::DataAccess::WindowsDriveHandler, Base Classes: : Cobalt::DataAccess::IWindowsDrive\r\nCobalt::DataAccess::WindowsFile, Base Classes: : Cobalt::Common::IFile\r\nCobalt::DataAccess::WindowsFileManager, Base Classes: : Cobalt::DataAccess::ISystemFileManager\r\nCobalt::DataProcessing::AESEncryptor, Base Classes: : Cobalt::Common::IEncryptor\r\nCobalt::DataProcessing::ExtensionFileMatcher, Base Classes: : Cobalt::Common::IFileMatcher\r\nCobalt::DataProcessing::RSAClient, Base Classes: : Cobalt::Common::IEncryptor\r\nCobalt::DataProcessing::RSAServer, Base Classes: : Cobalt::Common::IDecryptor\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 9 of 13\n\nCobalt::Peripheral::TCPClient, Base Classes: : Cobalt::Peripheral::IPeripheralConnection,\r\nstd::enable_shared_from_this_class_Cobalt::Peripheral::TCPClient_\r\nBase classes: Cobalt::Common::IDecryptor Cobalt::Common::IDirectory Cobalt::Common::IEncryptor\r\nCobalt::Common::IException Cobalt::Common::IExceptionFactory Cobalt::Common::IFile Cobalt::Common::IFileMatcher\r\nCobalt::DataAccess::IFileReader Cobalt::DataAccess::IFileWriter Cobalt::DataAccess::ISystemFileManager\r\nCobalt::DataAccess::IWindowsDrive Cobalt::Peripheral::IPeripheralConnection Classes: Cobalt::Common::MyselfKiller\r\nCobalt::Common::CommonExceptionFactory, Base Classes: : Cobalt::Common::IExceptionFactory\r\nCobalt::Communication::AbortMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage Cobalt::Communication::AcknowledgeMessage, Base Classes: :\r\nCobalt::Communication::ISerializableMessage, Cobalt::Communication::IMessage\r\nCobalt::Communication::ClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage Cobalt::Communication::ConfigurationMessage, Base Classes: :\r\nCobalt::Communication::ISerializableMessage, Cobalt::Communication::IMessage\r\nCobalt::Communication::ExceptionMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage, Cobalt::Common::IException Cobalt::Communication::ExceptionMessage_1, Base\r\nClasses: : Cobalt::Communication::ISerializableMessage, Cobalt::Communication::IMessage, Cobalt::Common::IException\r\nCobalt::Communication::GetClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage Cobalt::Communication::GetIdentificationMessage, Base Classes: :\r\nCobalt::Communication::ISerializableMessage, Cobalt::Communication::IMessage Cobalt::Communication::IMessage\r\nCobalt::Communication::IMessageExtractor Cobalt::Communication::IMessageFactory\r\nCobalt::Communication::IMessagePackager Cobalt::Communication::ISerializableMessage\r\nCobalt::Communication::IdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage Cobalt::Communication::JobFinishedMessage, Base Classes: :\r\nCobalt::Communication::ISerializableMessage, Cobalt::Communication::IMessage\r\nCobalt::Communication::MessageExtractor, Base Classes: : Cobalt::Communication::IMessageExtractor\r\nCobalt::Communication::MessageFactory, Base Classes: : Cobalt::Communication::IMessageFactory\r\nCobalt::Communication::MessagePackager, Base Classes: : Cobalt::Communication::IMessagePackager\r\nCobalt::Communication::PublicKeyMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\r\nCobalt::Communication::IMessage Cobalt::Communication::SessionKey, Base Classes: :\r\nCobalt::Communication::ISerializableMessage, Cobalt::Communication::IMessage Cobalt::DataAccess::BasicFileReader,\r\nBase Classes: : Cobalt::DataAccess::IFileReader Cobalt::DataAccess::BasicFileWriter, Base Classes: :\r\nCobalt::DataAccess::IFileWriter Cobalt::DataAccess::WindowsDirectory, Base Classes: : Cobalt::Common::IDirectory\r\nCobalt::DataAccess::WindowsDriveHandler, Base Classes: : Cobalt::DataAccess::IWindowsDrive\r\nCobalt::DataAccess::WindowsFile, Base Classes: : Cobalt::Common::IFile Cobalt::DataAccess::WindowsFileManager,\r\nBase Classes: : Cobalt::DataAccess::ISystemFileManager Cobalt::DataProcessing::AESEncryptor, Base Classes: :\r\nCobalt::Common::IEncryptor Cobalt::DataProcessing::ExtensionFileMatcher, Base Classes: :\r\nCobalt::Common::IFileMatcher Cobalt::DataProcessing::RSAClient, Base Classes: : Cobalt::Common::IEncryptor\r\nCobalt::DataProcessing::RSAServer, Base Classes: : Cobalt::Common::IDecryptor Cobalt::Peripheral::TCPClient, Base\r\nClasses: : Cobalt::Peripheral::IPeripheralConnection, std::enable_shared_from_this_class_Cobalt::Peripheral::TCPClient_\r\nBase classes:\r\nCobalt::Common::IDecryptor\r\nCobalt::Common::IDirectory\r\nCobalt::Common::IEncryptor\r\nCobalt::Common::IException\r\nCobalt::Common::IExceptionFactory\r\nCobalt::Common::IFile\r\nCobalt::Common::IFileMatcher\r\nCobalt::DataAccess::IFileReader\r\nCobalt::DataAccess::IFileWriter\r\nCobalt::DataAccess::ISystemFileManager\r\nCobalt::DataAccess::IWindowsDrive\r\nCobalt::Peripheral::IPeripheralConnection\r\nClasses:\r\nCobalt::Common::MyselfKiller\r\nCobalt::Common::CommonExceptionFactory, Base Classes: : Cobalt::Common::IExceptionFactory\r\nCobalt::Communication::AbortMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobalt::Com\r\nCobalt::Communication::AcknowledgeMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobal\r\nCobalt::Communication::ClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobalt\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 10 of 13\n\nCobalt::Communication::ConfigurationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Cob\r\nCobalt::Communication::ExceptionMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobalt\r\nCobalt::Communication::ExceptionMessage_1, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobal\r\nCobalt::Communication::GetClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage, Cob\r\nCobalt::Communication::GetIdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage\r\nCobalt::Communication::IMessage\r\nCobalt::Communication::IMessageExtractor\r\nCobalt::Communication::IMessageFactory\r\nCobalt::Communication::IMessagePackager\r\nCobalt::Communication::ISerializableMessage\r\nCobalt::Communication::IdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Co\r\nCobalt::Communication::JobFinishedMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobal\r\nCobalt::Communication::MessageExtractor, Base Classes: : Cobalt::Communication::IMessageExtractor\r\nCobalt::Communication::MessageFactory, Base Classes: : Cobalt::Communication::IMessageFactory\r\nCobalt::Communication::MessagePackager, Base Classes: : Cobalt::Communication::IMessagePackager\r\nCobalt::Communication::PublicKeyMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobalt\r\nCobalt::Communication::SessionKey, Base Classes: : Cobalt::Communication::ISerializableMessage, Cobalt::Commu\r\nCobalt::DataAccess::BasicFileReader, Base Classes: : Cobalt::DataAccess::IFileReader\r\nCobalt::DataAccess::BasicFileWriter, Base Classes: : Cobalt::DataAccess::IFileWriter\r\nCobalt::DataAccess::WindowsDirectory, Base Classes: : Cobalt::Common::IDirectory\r\nCobalt::DataAccess::WindowsDriveHandler, Base Classes: : Cobalt::DataAccess::IWindowsDrive\r\nCobalt::DataAccess::WindowsFile, Base Classes: : Cobalt::Common::IFile\r\nCobalt::DataAccess::WindowsFileManager, Base Classes: : Cobalt::DataAccess::ISystemFileManager\r\nCobalt::DataProcessing::AESEncryptor, Base Classes: : Cobalt::Common::IEncryptor\r\nCobalt::DataProcessing::ExtensionFileMatcher, Base Classes: : Cobalt::Common::IFileMatcher\r\nCobalt::DataProcessing::RSAClient, Base Classes: : Cobalt::Common::IEncryptor\r\nCobalt::DataProcessing::RSAServer, Base Classes: : Cobalt::Common::IDecryptor\r\nCobalt::Peripheral::TCPClient, Base Classes: : Cobalt::Peripheral::IPeripheralConnection, std::enable_shared_\r\nSuspected file paths\r\nC:\\Windows\\IME\\en-GB\\client\\Cobalt.Client.exe\r\nC:\\Windows\\IME\\en-GB\\mngr\\ConnectPC.exe\r\nC:\\Windows\\IME\\en-GB\\mngr\\binPS\\PsExec.exe\r\nC:\\Windows\\Temp\\[organization-name]tmp\\Cobalt.Client.exe\r\nC:\\Windows\\IME\\en-GB\\client\\Cobalt.Client.exe C:\\Windows\\IME\\en-GB\\mngr\\ConnectPC.exe C:\\Windows\\IME\\en-GB\\mngr\\binPS\\PsExec.exe C:\\Windows\\Temp\\[organization-name]tmp\\Cobalt.Client.exe\r\nC:\\Windows\\IME\\en-GB\\client\\Cobalt.Client.exe\r\nC:\\Windows\\IME\\en-GB\\mngr\\ConnectPC.exe\r\nC:\\Windows\\IME\\en-GB\\mngr\\binPS\\PsExec.exe\r\nC:\\Windows\\Temp\\[organization-name]tmp\\Cobalt.Client.exe\r\nStrings Written to the Log\r\nCannot initialize RSA encryptor\r\nCannot initialize RSA decryptor\r\nError: receiving wrong response\r\nreceiving server public key\r\nError: receiving wrong response\r\nError: receiving Configuration Message\r\nGetClientInformation message received\r\nSending Identification message again\r\nSending Identification Message\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 11 of 13\n\nError in getting ipaddress and macaddress\r\nSending public key finished\r\nWait for threads to finish their encrypting job\r\nChange Computer Background\r\nSend Job Finished Message\r\nWe are not connected to serverr, trying 3 second later\r\nSend Message in Another Thread\r\nSend message again time out reached\r\nSending Message Process Finished\r\ncopy file to desktop background path\r\nStart Searching Details of Drive\r\nDeleting Myself Restarting Application Closed wrong config file no config file found Prevent ShutDown end of main\r\nprocedure message is encrypted message is not encrypted Cannot initialize RSA encryptor Cannot initialize RSA decryptor\r\nError: receiving wrong response receiving server public key Error: receiving wrong response receiving session_key Error:\r\nreceiving Configuration Message Start Encrypting Engine GetClientInformation message received Sending Identification\r\nmessage again Receive Abort Message Connection Restarted Sending Identification Message Error in getting ipaddress and\r\nmacaddress Sending public key Sending public key finished send_session_key Wait for threads to finish their encrypting job\r\nEnd of encrypting Change Computer Background Send Job Finished Message We are not connected to serverr, trying 3\r\nsecond later Send Message in Another Thread Send message again time out reached Connect Again to Server Sending\r\nMessage Process Finished copy file to desktop background path Receive Data Failed To Get Data.... Start Searching Details\r\nof Drive Its in Black Path List\r\nDeleting Myself\r\nRestarting\r\nApplication Closed\r\nwrong config file\r\nno config file found\r\nPrevent ShutDown\r\nend of main procedure\r\nmessage is encrypted\r\nmessage is not encrypted\r\nCannot initialize RSA encryptor\r\nCannot initialize RSA decryptor\r\nError: receiving wrong response\r\nreceiving server public key\r\nError: receiving wrong response\r\nreceiving session_key\r\nError: receiving Configuration Message\r\nStart Encrypting Engine\r\nGetClientInformation message received\r\nSending Identification message again\r\nReceive Abort Message\r\nConnection Restarted\r\nSending Identification Message\r\nError in getting ipaddress and macaddress\r\nSending public key\r\nSending public key finished\r\nsend_session_key\r\nWait for threads to finish their encrypting job\r\nEnd of encrypting\r\nChange Computer Background\r\nSend Job Finished Message\r\nWe are not connected to serverr, trying 3 second later\r\nSend Message in Another Thread\r\nSend message again time out reached\r\nConnect Again to Server\r\nSending Message Process Finished\r\ncopy file to desktop background path\r\nReceive Data\r\nFailed To Get Data....\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 12 of 13\n\nStart Searching Details of Drive\r\nIts in Black Path List\r\nSource: https://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nhttps://research.checkpoint.com/2020/ransomware-alert-pay2key/\r\nPage 13 of 13\n\n https://research.checkpoint.com/2020/ransomware-alert-pay2key/ \nCobalt::Common::CommonExceptionFactory, Base Classes: : Cobalt::Common::IExceptionFactory\nCobalt::Communication::AbortMessage, Base Classes: : Cobalt::Communication::ISerializableMessage, \nCobalt::Communication::IMessage  \nCobalt::Communication::AcknowledgeMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::ClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::ConfigurationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::ExceptionMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage, Cobalt::Common::IException \nCobalt::Communication::ExceptionMessage_1, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage, Cobalt::Common::IException \nCobalt::Communication::GetClientInformation, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::GetIdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::IMessage  \nCobalt::Communication::IMessageExtractor  \nCobalt::Communication::IMessageFactory  \nCobalt::Communication::IMessagePackager  \nCobalt::Communication::ISerializableMessage  \nCobalt::Communication::IdentificationMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::JobFinishedMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::MessageExtractor, Base Classes: : Cobalt::Communication::IMessageExtractor\nCobalt::Communication::MessageFactory, Base Classes: : Cobalt::Communication::IMessageFactory \nCobalt::Communication::MessagePackager, Base Classes: : Cobalt::Communication::IMessagePackager\nCobalt::Communication::PublicKeyMessage, Base Classes: : Cobalt::Communication::ISerializableMessage,\nCobalt::Communication::IMessage  \nCobalt::Communication::SessionKey, Base Classes: : Cobalt::Communication::ISerializableMessage, \nCobalt::Communication::IMessage  \nCobalt::DataAccess::BasicFileReader, Base Classes: : Cobalt::DataAccess::IFileReader \nCobalt::DataAccess::BasicFileWriter, Base Classes: : Cobalt::DataAccess::IFileWriter \nCobalt::DataAccess::WindowsDirectory, Base Classes: : Cobalt::Common::IDirectory \nCobalt::DataAccess::WindowsDriveHandler, Base Classes: : Cobalt::DataAccess::IWindowsDrive\nCobalt::DataAccess::WindowsFile, Base Classes: : Cobalt::Common::IFile \nCobalt::DataAccess::WindowsFileManager, Base Classes: : Cobalt::DataAccess::ISystemFileManager\nCobalt::DataProcessing::AESEncryptor, Base Classes: : Cobalt::Common::IEncryptor \nCobalt::DataProcessing::ExtensionFileMatcher, Base Classes: : Cobalt::Common::IFileMatcher\nCobalt::DataProcessing::RSAClient, Base Classes: : Cobalt::Common::IEncryptor \nCobalt::DataProcessing::RSAServer, Base Classes: : Cobalt::Common::IDecryptor \n Page 9 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/ransomware-alert-pay2key/"
	],
	"report_names": [
		"ransomware-alert-pay2key"
	],
	"threat_actors": [],
	"ts_created_at": 1775434879,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b97889b7b9c89d7bed71413db8fe7b8ec3f8860.pdf",
		"text": "https://archive.orkl.eu/1b97889b7b9c89d7bed71413db8fe7b8ec3f8860.txt",
		"img": "https://archive.orkl.eu/1b97889b7b9c89d7bed71413db8fe7b8ec3f8860.jpg"
	}
}