Welcome to the VB2021 conference!

arrow left Back

Pay2Key – the newly discovered ransomware traced all the way to Iran

Gil Mansharov (Check Point) & Ben Herzog (Check Point)
Following the 1979 Iranian revolution, relations between Iran and Israel worsened dramatically, impacting every diplomatic aspect, with threats of war casting a shadow over the region ever since the last open hostilities in 1991. Cyberspace is no exception and has become a new arena for clashes, particularly since the 2010 discovery of Stuxnet, a supposedly Israeli-American worm launched against several Iranian targets including a nuclear plant in Natanz.

In late 2020, a massive new ransomware campaign called Pay2Key was launched against multiple Israeli companies with a double extortion modus operandi that resulted in the victims’ network encryption and data leakage.

Check Point’s Threat Intelligence team tracked the threat group behind these attacks and found evidence of their Iranian origins, suggesting the whole operation was part of Iranian hacktivism activity, with a regime turning a blind eye to their actions.

Our presentation will depict the details of the Pay2key Iranian operation by reviewing both the ransomware’s technical analysis and the developments leading to the Iranian attribution, including blockchain analysis of the attacker’s cryptocurrency wallets.
Gil Mansharov
Check Point

Gil Mansharov is a malware analyst in Check Point's Threat Intelligence Analysis team. Gil is responsible for hunting and analysing the newest and most advanced threats in the wild, in order to improve Check Point’s threat coverage and share new information with the research community. Gil joined Check Point three years ago, first as a security analyst in the Threat Intelligence Operations team, and after that, he joined the Threat intelligence Analysis team. Prior to Check Point, Gil was a security analyst in Israel Aerospace Industries (IAI). Gil holds a B.Sc. in computer science with a cybersecurity specialization from the Open University of Israel.

Ben Herzog
Check Point

Ben Herzog is a maths aficionado working undercover at Check Point as a security researcher. His interests include cryptography, reverse engineering and machine learning. He majored in mathematics and computer science at the Technion, and has been serving as course staff for Check Point Security Academy for several years, teaching cryptography and malware analysis.