Iranian Ransomware Targets Mostly Israel-Based Companies
Two recent ransomware campaigns have targeted Israeli companies and have been traced back to Iranian threat actors. Occurring since mod-October, the ransomware attacks have since ramped up in their complexity and aggressiveness and have repeatedly focused on Israeli targets. Israeli companies of all sizes have been targeted by threat actors using the Pay2Key and WannaScream ransomware. The Iranian hackers breached corporate networks, stole company data, encrypted files, and asked for large ransom payouts to deliver the associated decryption keys. As part of their increased complexity, the Pay2Key ransomware group also launched a “leak directory” on the dark web in order to leak data that they stole from companies who refused to pay the ransom demand.
The Pay2Key attacks are unique in their deployment because, unlike most other ransomware, these attacks have repeatedly and primarily focused on infecting Israeli companies. Attacks with the WannaScream ransomware have had no singular target, but that could be because this ransomware is currently available via a Ransomware-as-a-Service (RaaS) model and that one group who utilizes the ransomware is targeting Israeli companies in particular.
Israeli security firm Profero, who is one of the local security firms that are currently providing Incident Response (IR) services to the many affected Israeli companies, said today it tracked several payments Israeli companies made to Excoino, a cryptocurrency exchange based in Iran.
Sources: