Back to overview

Threat intelligence

Pay2Key: First Ransomware Utilizing I2P Network Instead of Tor

by Security News

Pay2Key first emerged in late 2020 and primarily targeted Israeli businesses. It gained attention for its alleged links to Iranian threat actors. Today’s sample, however, is an obvious pivot to a ransomware-as-a-service model, welcoming even the most novice users. What sets it apart is its use of I2P, an anonymous network similar to Tor. Victims are directed to a ransom portal hosted on I2P instead of a Tor .onion website, which most ransomware actors use.

Infection Cycle

The malware arrives as a portable executable that purports to be a document file, using the Microsoft Word document icon.

Fig1.Fileprop.png
Figure 1: Malware executable using the Microsoft Word document icon

Upon execution, the malware promptly initiates either Winword.exe or Wordpad.exe, resulting in the display of a blank document window. This behavior is intended to mimic the appearance of a legitimate and benign document to avoid suspicion.

Fig2.wordpad.png
Figure 2: Empty document window launched

Concurrently, the malware extracts additional malicious payloads into the %Temp% directory for further execution.

Fig3.tempfiles.png
Figure 3: Additional component files created by malware

It then spawns the legitimate cmd.exe to run a script file, “setup.cmd,” and execute a series of commands in the command prompt.

Fig4.spawncmd.png
Figure 4: Malware uses legitimate Windows files to execute malicious activity

Fig5.setupcmd.png
Figure 5: Contents of setup.cmd file

This script will use powershell.exe to further execute malicious commands such as querying the registry for local services, checking if an antivirus is installed, running additional files, and deleting these files after execution. The script uses a lot of timeouts and delays, presumably as part of its evasion technique to hide malicious activity. It then encrypts files and appends “.qchrt6” to all encrypted files. A ransom note, “HowToRestoreFiles.txt,” is then created.

Fig6.ransomnote.png
Figure 6: Contents of the ransom note

The instruction directs the victim to their pay2key.com website and also gives the option to contact them on their main website hosted on the I2P network. Their file recovery page claims that they have already made 49 transactions and received over $4 million in payments, and will make special conditions for “friends of Iran.”

Fig7.recoverwebsite.png
Figure 7: Recovery website where victims are directed to

Their main website invites anyone to join their ransomware operation. They also offer a tiered program where affiliates can earn through referrals.

Fig8.mainwebsite.png

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Pay2Key.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and the Capture Client endpoint solutions.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Related Articles

  • Threat Actors Modify and Re-Create Commercial Software to Steal Users’ Information
    Read More
  • ZendTo Vulnerability (CVE-2025-34508) Could Lead to Data Exposure and Service Disruption
    Read More