Pay2Key Ransomware Group Linked to Iran Returns
▼ Summary
– An Iranian ransomware group named Pay2Key has returned with enhanced evasion, execution, and anti-forensics capabilities.
– The group recently attacked a U.S. healthcare provider, using tools for credential harvesting and lateral movement to encrypt the entire infrastructure in three hours.
– Its activity appears to intensify during periods of U.S.-Iran geopolitical tension, though its exact links to Iran are now questioned due to observed ties to Russian-speaking actors.
– The group does not always prioritize financial extortion and may instead focus on destruction for strategic impact.
– Security experts warn that Pay2Key remains an active, unpredictable, and politically motivated threat requiring ongoing monitoring.
A ransomware group with suspected ties to Iran has re-emerged, demonstrating significantly upgraded capabilities for evasion, execution, and anti-forensics. Known as Pay2Key, this group has been operational since 2020 and historically focuses on targets that align with Tehran’s geopolitical interests. New analysis indicates its activity has accelerated, potentially fueled by recent tensions between the United States and Iran.
A joint report from Halcyon and Beazley Security details a recent intrusion at a U. S. healthcare provider, revealing an evolving set of TTPs. While it is unclear if the attackers purchased initial network access or conducted their own reconnaissance, they quickly established a foothold. Using TeamViewer for interactive access, they then employed credential harvesting tools like Mimikatz, LaZagne, and ExtPassword to gather passwords for lateral movement across the network.
The actors used Advanced IP Scanner and a tool believed to be NetScan to locate additional hosts and validate stolen credentials. They pivoted between systems and deliberately interacted with Active Directory through the legitimate dsa.msc console, a technique likely chosen to avoid triggering automated security alerts. This access was used to identify accounts for the final ransomware deployment and to locate backup systems, including IBackup, Barracuda Yosemite, and Windows Server Backup.
The ransomware execution itself was carried out via a self-extracting 7zip archive, consistent with the group’s past methods. The attackers managed to encrypt the victim’s entire infrastructure in approximately three hours. They also deployed and then removed a “No Defender” evasion toolkit in an attempt to erase forensic evidence. Notably, investigators found no signs of data exfiltration, suggesting the operation may have prioritized disruption over theft, or that the group thoroughly destroyed evidence.
This latest incident follows a previous campaign that coincided with U. S. missile strikes against Iran last year. Since July 2025, the group has been linked to over 170 victims and has received more than $8 million in ransom payments. This pattern suggests Pay2Key’s operations may intensify during periods of geopolitical tension involving Iran, though its exact affiliations are increasingly complex.
The group’s attempted sale of its entire operation in late 2025, alongside observed connections to Russian-speaking threat actors on criminal forums, creates uncertainty about its current leadership and future direction. Regardless of who controls it, the threat remains acute. The report emphasizes that Pay2Key does not always prioritize financial extortion, sometimes opting for the strategic destruction of victim environments.
Security teams should consider this a clear warning. Pay2Key remains an active and politically motivated threat with unpredictable objectives. Its latest tactics underscore the need for ongoing monitoring and proactive intelligence sharing across the cybersecurity community to defend against its evolving campaigns.
(Source: Infosecurity Magazine)