New Pay2Key Ransomware Variant Uses .enap_p2k Extension
▼ Summary
– All files have been encrypted due to security problems on the user’s computer.
– Users can visit a website to recover their files.
– Before payment, users can send up to 3 test files for free decryption.
– After payment, the system will automatically issue a tool for full file recovery.
– Each user is assigned a unique ID, and a backup site on the I2P network is provided if the first address is inaccessible.
A new variant of the Pay2Key ransomware has emerged, this time using the .enap_p2k file extension to mark encrypted data. Victims are greeted with a ransom note that begins: “All files have been encrypted due to security problems on your computer.”
The attackers provide a clear recovery path. They instruct victims to visit a designated website where, before any payment, they can send up to three test files for free decryption as proof of capability. After payment is made, the system is supposed to automatically issue a tool to fully restore all encrypted files. Each victim receives a unique identifier , in this case, a long string ending in *enap , to track their case.
The note also includes a fallback option. “If the first address cannot be opened, visit our main site on the I2P network (similar to TOR),” it advises, indicating the operators are prepared to maintain communication through anonymous, decentralized channels should their primary site be taken down or blocked.
This new extension and the refined messaging suggest the cybercriminal group behind Pay2Key is actively updating its tactics to evade detection and maintain pressure on victims. Organizations should ensure their backup systems are offline and tested, as ransomware with this level of operational maturity often targets businesses with weak recovery plans.
(Source: BleepingComputer)
