Check Point unveils new Iranian cybercrime, ransoming companies' data

The method is called “Pay2Key.” The IT security company Check Point Software Technologies reported on the attacks on Thursday.

Iran Supreme Leader Ayatollah Ali Khamenei, July 2020 (photo credit: KHAMENEI.IR)
Iran Supreme Leader Ayatollah Ali Khamenei, July 2020
(photo credit: KHAMENEI.IR)
Seven Israeli companies and one Italian company were victimized by Iranian hackers who created a new method for hacking into systems and holding their contents for ransom.
The method is called “Pay2Key.” The IT security company Check Point Software Technologies reported the attacks on Thursday. The crime was given its name because victims pay for a “key” to get their data back.
“They actually have a sort of ‘gentlemen’s understanding’ that if you pay hackers in one crime-family they won’t touch you again,” head of Cyber Intelligence at Check Point Lotem Finkelstein told The Jerusalem Post. “Some criminals even have support telephone lines for victims who agree to pay but can’t get the key to work and regain access to their data.”
Because cybercrime is so profitable, old-school “crime families” are building their hacking abilities too, Check Point said. Within the ransoming type of crime there is another family called "ryuk" which  often target hospitals, Finkelstein said. Pressured for time and fearful of public embarrassment, hospitals usually end up paying rather than, for example, canceling all scheduled operations that week because patients’ medical records are blocked.
“Shame is a big part of this business,” Finkelstein said. “Some very big companies, firms you heard of, fall victim to such things.”
Thanks to cooperation with WhiteStream, an Israeli cybercrime forensics firm, Check Point had been able to establish that four Israeli companies paid up and three did not and were punished by having their data placed on the darknet.
The darknet is a part of the internet where users are invisible because of the browsers they use. A regular online user is “known” to the entities he is dealing with by his Internet Protocol (IP) address. This is why people who use the web for illegal activities get a visit from the police; it is as if they dropped their ID at the crime scene. The darknet keeps your real-world information concealed. Though it is often used for crime, some users simply use it to ensure privacy.
“Let’s say I hacked into a company that is developing a new kind of engine, or is in debt, and I take these folders and put them on the darknet,” Finkelstein said. “There are banks and car companies that hire a company with such searching power. For example, Recorded Future. They then tell the company ‘bring me back info about engines, bring me back info on debt.’ It’s not something you want floating around.”
The hackers apparently are in Iran because they asked that the ransom money be paid via Bitcoin in such a way that it would eventually land at Excoino, an Iranian company that requires those who use its services to provide real IDs as proof of who they are before any Bitcoins are given over to them.
“Iran takes cryptocurrency seriously,” Finkelstein said, “and they also have cyber police.”
This is how Bitcoin works: To get one unit of it, you need to invest electric power using a specific amount of computing hours. If you do, you will eventually get one unit of the cryptocurrency. It is called blockchain because there are blocks in the chain of production. For example, Mexico cannot decide to spend 10% of its national electric power grid to “mine bitcoins.” The system will not allow it because it has built-in protection against inflation. The value is also tied to the time you decide to mine it, to ensure that those who mined first will not face a devaluation when more units are created as the trend becomes more common.
If a billion people strike gold or oil, that resource will lose value. That will not be the case with Bitcoin. Cryptocurrency means that it is money hidden from states and tax authorities. This is why the hackers wanted up to nine units of it, which is roughly $140,000.
The Iranian hackers, after being able to take down Israeli companies, now seem to be going after other companies as well, Finkelstein said.
“All companies must invest in getting protection for their assets, “he warned. “Cybercrime is getting so big it has its own celebrities.”