Two recent ransomware waves that targeted Israeli companies have been traced back to Iranian threat actors, multiple sources have told ZDNet today.
The ransomware attacks have been taking place since mid-October, have ramped up this month, and have repeatedly focused on Israeli targets.
Israeli companies of all sizes have been targeted by threat actors using the Pay2Key[1] and WannaScream[2] ransomware strains.
Hackers breached corporate networks, stole company data, encrypted files, and asked for huge payouts to deliver a decryption key.
Furthermore, adding to this tactic, this week, the Pay2Key ransomware gang also launched a "leak directory" on the dark web where the group is now leaking data they stole from companies who refused to pay the ransom demand, Ram Levi[3], Founder and CEO of Konfidas, a cybersecurity consulting firm based in Israel, told ZDNet today.
The Pay2Key attacks are a curious case because, unlike most other ransomware operations taking place today, these attacks have repeatedly and primarily focused on infecting Israeli companies[4].
Attacks with the WannaScream ransomware have been spotted across the globe, but Omri Segev Moyal[5], Founder and CEO of Israeli security firm Profero, told ZDNet that this ransomware is currently available via a Ransomware-as-a-Service (RaaS) model and that one group who rents the ransomware from its creators is targeting Israeli companies in particular.
Ransom payments lead back to Iran
Profero, who is one of the local security firms that are currently providing Incident Response (IR) services to the many beleaguered Israeli companies, said today it tracked several payments Israeli companies made to Excoino[6], a cryptocurrency exchange based in Iran.
"The overall sophistication of both the WannaScream and Pay2Key ransomware waves is very average. The low level of sophistication with Pay2Key enabled us