According to Israeli cyber security company Check Point, the ransom payments were traced to an Iranian bitcoin site.
Iranian hackers were behind the Pay2Key ransomware attack on dozens of Israeli companies last week, said Israeli cyber security firm Check Point. The firm worked with
the Israeli blockchain intelligence company Whitestream to discover the source of the attack.
From each of the companies that fell prey to the attack, the hackers demanded payment
of 7 to 9 bitcoins. That’s worth some NIS 375,000-NIS 475,000 shekel (approximately $111,000-$141,000).
Check Point reported that after four of the firms paid the ransom, it tracked the hackers’ bitcoin transactions and identified them as Iranian.
The tracing process began with the addresses of the bitcoin wallets to which the victims had to send their ransom payments. The transactions wound up in wallets belonging to Excoino, an Iranian entity that supplies secure business services in cryptocurrency.
Check Point explained that this latest attack used the “double extortion” method on its victims, a new development in ransomware attacks. In the double extortion model, hackers not only encode a company’s data, blocking access to it. They also threaten to steal data and leak it if their demands for payment are not met.
The Pay2Key operators even drive home their point what can happen when companies do not comply with their demands. They created a website on which they post content stolen from companies who refused to pay them. These include three Israeli companies.
This article first appeared in Israel Hayom.