Two recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors, multiple sources have told ZDNet today.
The ransomware attacks have been taking place since mid-October, have ramped up this month, and have repeatedly focused on Israeli targets.
Hackers breached corporate networks, stole company data, encrypted files, and asked for huge payouts to deliver a decryption key.
Furthermore, adding to this tactic, this week, the Pay2Key ransomware gang also launched a "leak directory" on the dark web where the group is now leaking data they stole from companies who refused to pay the ransom demand, Ram Levi, Founder and CEO of Konfidas, a cybersecurity consulting firm based in Israel, told ZDNet today.
The Pay2Key attacks are a curious case because, unlike most other ransomware operations taking place today, these attacks have repeatedly and primarily focused on infecting Israeli companies.
Attacks with the WannaScream ransomware have been spotted across the globe, but Omri Segev Moyal, Founder and CEO of Israeli security firm Profero, told ZDNet that this ransomware is currently available via a Ransomware-as-a-Service (RaaS) model and that one group who rents the ransomware from its creators is targeting Israeli companies in particular.
Ransom payments lead back to Iran
Profero, who is one of the local security firms that are currently providing Incident Response (IR) services to the many beleaguered Israeli companies, said today it tracked several payments Israeli companies made to Excoino, a cryptocurrency exchange based in Iran.
"The overall sophistication of both the WannaScream and Pay2Key ransomware waves is very average. The low level of sophistication with Pay2Key enabled us to track the bitcoin flow easily," Moyal told ZDNet.
"Our team pinpointed an exit strategy at Excoino, a cryptocurrency exchange based in Iran. This act is very uncommon for major ransomware operators," the Profero exec added.
"An experienced operator will go through mixing services, swapping between different coins via Binance sub-exchanges such as ChangeNow, or other less familiar exchanges such as coin2cards.
"We haven't seen any of those in this case. This might indicate the origin of the attackers, though it can be a false flag as we all aware in our industry."
Profero's findings and the links between Pay2Key and an Iran-based threat actor were also confirmed today by Check Point and a third source who spoke with ZDNet on the condition of anonymity.
Check Point, who first spotted the Pay2Key ransomware wave last week, plans to publish an in-depth report on its newest findings and the Iranian links on Thursday.
While payments have not been traced to Excoino for the WannaScream attacks, other indicators in the code and ransom negotiations process have also led Moyal and others to think that this ransomware group is also managed by an Iranian entity.
Bugs and data loss for some victims
Moyal's assessment that both Pay2Key and WannaScream are unsophisticated operations was also confirmed by evidence from real-world incidents.
For example, in some early Pay2Key incidents, the ransomware's command-and-control servers didn't release a decryption key to some victims that paid the ransom demand, leaving companies unable to recover their files.
In the case of WannaScream, the ransomware decrypter, the app that victims receive to decrypt their files after paying the ransom demand, has also been throwing errors in some cases, similarly leaving companies unable to recover their data even after making payments.
At the time of writing, there was no evidence to link either Pay2Key or the WannaScream attacks that have taken place in Israel to an Iranian government entity beyond any doubt. Nonetheless, the door has been left open for future investigations.