Pay2Key Ransomware - Iran-Linked Group Resurfaces with Tactics

How It Works

The Pay2Key ransomware group has returned with enhanced evasion techniques and execution capabilities. They are known for targeting organizations aligned with Iranian interests. Recent reports indicate that their activities have intensified, particularly following heightened tensions between the US and Iran. In a recent attack, they exploited vulnerabilities in a US healthcare provider's network. The group utilized tools like TeamViewer for remote access and Mimikatz for credential harvesting. This allowed them to navigate through the victim's network with ease.

Once they gained a foothold, the attackers employed various tools to scan for additional hosts and validate credentials. This included using Advanced IP Scanner and ns.exe to identify systems within the network. Their approach appears to be strategic, as they sought to avoid detection by mimicking legitimate administrative activities. This careful planning enabled them to prepare for a swift ransomware deployment.

Who's Being Targeted

The resurgence of Pay2Key has raised alarms among security experts, especially as they have targeted critical sectors like healthcare. Since July 2025, they have reportedly received over $8 million in ransom payments from approximately 170 victims. This indicates a broad impact, affecting various organizations that may be vulnerable to their tactics. The group's focus on US entities, particularly during geopolitical tensions, suggests a politically motivated agenda.

Their targeting strategy raises concerns about the potential for collateral damage. Organizations that may not directly align with Iranian interests could still find themselves in the crosshairs. The group's methods are not solely about financial gain; they also aim to disrupt and damage systems for strategic purposes.

Signs of Infection

Organizations should be vigilant for signs of infection from the Pay2Key group. Indicators may include unusual network activity, unauthorized access attempts, or the presence of known tools like Mimikatz and TeamViewer. The rapid encryption of files and the use of self-extracting archives for ransomware deployment are also key signs. In the latest attack, the entire infrastructure was compromised and encrypted within just three hours.

Moreover, the group has demonstrated a capability to remove traces of their activities, complicating detection efforts. Their use of a 'No Defender' evasion toolkit highlights the sophistication of their operations. Organizations must remain proactive in monitoring their networks for these signs to mitigate the risk of a successful attack.

How to Protect Yourself

To defend against the Pay2Key ransomware group, organizations should adopt a multi-layered security approach. This includes regular security audits, employee training on recognizing phishing attempts, and implementing robust access controls. Keeping software and systems updated with the latest patches is crucial to close vulnerabilities that attackers may exploit.

Additionally, organizations should develop an incident response plan that includes backup strategies. Regularly backing up data can help mitigate the impact of a ransomware attack. It is also essential to share threat intelligence within the security community to stay informed about emerging tactics and techniques used by groups like Pay2Key. By staying vigilant and prepared, organizations can better defend against this unpredictable and politically motivated threat.