Recent Developments in Ransomware Threats: The Resurgence of Pay2Key
Security experts have raised alarms regarding the return of an Iranian ransomware group known as Pay2Key, which has emerged with enhanced capabilities aimed at evading detection, executing attacks, and covering its tracks through advanced anti-forensics measures. Active since 2020, Pay2Key has been previously associated with Tehran and often targets entities that align with the regime’s interests.
In a recent report published by Halcyon and Beazley Security, the link between rising tensions between the United States and Iran and a surge in Pay2Key’s activity has been highlighted. The agency’s findings point to a significant escalation in the group’s operations, particularly in light of the ongoing geopolitical conflicts.
The report meticulously detailed a recent assault on a healthcare provider in the United States, which showcased a sophisticated evolution in the group’s tactics, techniques, and procedures (TTPs). While it’s uncertain whether the attackers procured access through an initial access broker or conducted their own reconnaissance on the targeted organization, the report indicated that once they breached the network, they established an interactive connection using TeamViewer. This facilitated password harvesting for lateral movement within the affected infrastructure.
To achieve further penetration, the threat actors deployed tools such as Mimikatz, LaZagne, and ExtPassword, enabling them to access stored credentials and travel laterally across the network. Advanced tools—including "Advanced IP Scanner" and what is presumed to be NetScan (ns.exe)—were employed to identify additional hosts and validate existing credentials, significantly increasing their foothold within the system.
By utilizing harvested credentials, the adversaries executed a series of actions across various systems, interacting with Active Directory through the built-in "Users and Computers" console (dsa.msc). This strategic maneuver appears to have been designed to obscure their activities, preventing security tools from flagging any anomalous or suspicious behavior.
Moreover, the report revealed that the intention behind this meticulous mapping of systems was twofold: to identify specific accounts for ransomware deployment and to gain access to a variety of backup-related software on the victim’s infrastructure. Enumeration revealed the use of e-commerce and backup solutions, including IBackup, Barracuda Yosemite, and Windows Server Backup, indicating the depth of preparation behind the attack.
The ransomware deployment itself was executed via a self-extracting 7zip archive (SFX) labeled abc.exe, a method consistent with earlier campaigns by Pay2Key. The encryption of the entire infrastructure was alarmingly efficient, taking only three hours to complete. Additionally, the group deployed a "No Defender" evasion toolkit during the attack, subsequently purging it to erase any traces of its existence.
Notably, there was no evidence suggesting data exfiltration during this operation, leading the report’s authors to theorize that the lack of data transfer could stem from deliberate destruction of evidence by the threat actors.
Questions About Connections to Iran
This recent incident surfaces alongside a prior campaign studied by Morphisec, coinciding with US military actions targeting Iran last year. Since July 2025, Pay2Key has reportedly amassed over $8 million in ransom payments from around 170 victims, underscoring the group’s financial motivations tied to geopolitical tensions.
Despite the clear correlation between the group’s activities and international conflicts involving Iran, the report cautions that this relationship is not definitively established. It notes that Pay2Key’s attempted sale of its entire operation in late 2025 raised questions about its ownership and operational control, particularly given its observable connections to Russian-speaking threat actors in criminal forums.
Regardless of the ownership or affiliations, the implications for network defenders remain significant. As outlined in the Halcyon report, the threat posed by Pay2Key is multifaceted. It suggests that the group does not necessarily prioritize extortion for financial gain above the potential to strategically undermine victim organizations.
In conclusion, the findings signal to cybersecurity professionals that Pay2Key remains an active and unpredictable threat. The report underscores the necessity for ongoing monitoring and proactive information sharing within the security community to effectively contend with this evolving and politically motivated menace. Awareness and preparation will be crucial as the landscape of ransomware threats continues to shift in response to geopolitical dynamics.