Iran-Linked Pay2Key Ransomware Group Re-Emerges with Enhanced Evasion Tactics
The Iran-linked Pay2Key ransomware group has resurfaced with advanced evasion and anti-forensics capabilities, targeting a US healthcare provider and encrypting its entire infrastructure in three hours.
The Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion and anti-forensics capabilities, according to a new report from Halcyon and Beazley Security. The group, active since 2020, recently targeted a US healthcare provider, encrypting its entire infrastructure in just three hours. The attack comes amid rising US-Iran tensions, which the report suggests may have accelerated the group's activity.
The attackers gained initial access via TeamViewer, likely purchased from an initial access broker or obtained through reconnaissance. Once inside, they used Mimikatz, LaZagne, and ExtPassword to harvest credentials, then performed lateral movement using Advanced IP Scanner and NetScan. They interacted with Active Directory via the built-in dsa.msc console to avoid triggering security alerts, and enumerated backup software including IBackup, Barracuda Yosemite, and Windows Server Backup.
Ransomware deployment was executed through a self-extracting 7zip archive (abc.exe), consistent with previous Pay2Key campaigns. The group also deployed a "No Defender" evasion toolkit to disable Microsoft Defender, which they later removed to hide their tracks. Notably, no data exfiltration was observed, which the report authors suggest could be due to deliberate destruction of evidence.
Since July 2025, Pay2Key has received over $8 million in ransom payments from 170 victims. The group's activity has historically spiked during periods of geopolitical tension involving Iran, such as following US missile strikes last year. However, the report notes unresolved questions about the group's current ownership, as it attempted to sell its entire operation in late 2025 and has ties to Russian-speaking threat actors on criminal forums.
The report warns that Pay2Key remains an active and unpredictable threat, often prioritizing destruction over financial gain. Defenders are urged to monitor the group's evolving tactics and share intelligence proactively. The healthcare sector, in particular, should be vigilant given the group's recent targeting of a US healthcare provider.