Following the 1979 Iranian revolution, relations between Iran and Israel worsened dramatically, impacting every diplomatic aspect, with threats of war casting a shadow over the region ever since the last open hostilities in 1991. Cyberspace is no exception and has become a new arena for clashes, particularly since the 2010 discovery of Stuxnet, a supposedly Israeli-American worm launched against several Iranian targets including a nuclear plant in Natanz.

In late 2020, a massive new ransomware campaign called Pay2Key was launched against multiple Israeli companies with a double extortion modus operandi that resulted in the victims’ network encryption and data leakage.

Check Point’s Threat Intelligence team tracked the threat group behind these attacks and found evidence of their Iranian origins, suggesting the whole operation was part of Iranian hacktivism activity, with a regime turning a blind eye to their actions.

Our presentation will depict the details of the Pay2key Iranian operation by reviewing both the ransomware’s technical analysis and the developments leading to the Iranian attribution, including blockchain analysis of the attacker’s cryptocurrency wallets.

Got a question about this presentation? To get in touch with the speakers, contact them on Twitter at @mansgil and @BenHerzog11235.