Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware Activity
Summary
Hide ▲
Show ▼
Pay2Key has re-emerged as a ransomware threat with enhanced evasion, execution and anti-forensics capabilities, increasing the difficulty of detection and response. The latest activity included an attack on a US healthcare provider, where operators used TeamViewer for interactive access, harvested credentials, and moved laterally before encrypting the environment. The operation matters because ransomware execution completed in three hours and investigators found no evidence of data exfiltration, pointing to fast destructive impact and possible evidence suppression.
Related Happenings
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Foxconn claimed data leak by Nitrogen ransomware group
Data Leak
First: 13.05.2026 20:13
Last: 13.05.2026 20:13
Sources 1
About this happening:
The **Nitrogen ransomware group** claimed a **Foxconn data leak** involving **8TB** and more than **11 million files**, raising the risk that confidential manufacturing material t...
Foxconn claimed data leak by Nitrogen ransomware group
Data LeakAbout this happening: The **Nitrogen ransomware group** claimed a **Foxconn data leak** involving **8TB** and more than **11 million files**, raising the risk that confidential manufacturing material t...
Foxconn hit by ransomware attack
Incident
First: 13.05.2026 15:49
Last: 13.05.2026 15:49
Sources 1
About this happening:
**Foxconn** confirmed that **some North American factories** suffered a **cyberattack**, disrupting manufacturing operations and forcing a recovery effort to keep production and d...
Foxconn hit by ransomware attack
IncidentAbout this happening: **Foxconn** confirmed that **some North American factories** suffered a **cyberattack**, disrupting manufacturing operations and forcing a recovery effort to keep production and d...
Instructure hit by cyberattack
Incident
First: 04.05.2026 01:16
Last: 04.05.2026 01:16
Sources 1
About this happening:
**Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...
Instructure hit by cyberattack
IncidentAbout this happening: **Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...
Latest development: 14.05.2026 23:19
The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions sought briefings from Instructure over the Canvas compromise, pressing the edtech vendor on whether it paid a ransom, what data was affected, how it handled the recent attacks, and whether the incident was linked to a prior Salesforce compromise.
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Timeline
-
31.03.2026 16:31 1 articles · 1mo ago
Iran revives Pay2Key with Russian cybercriminal recruitment
Attribution UpdateIran has revived Pay2Key by recruiting affiliates from Russian cybercriminal forums and positioning the ransomware operation as a punitive arm of the Iranian state against high-impact US targets. KELA says the activity blends ransomware, pseudo-ransomware, and destructive wiper-like behavior, and that Iran-backed APT Agrius is also using Apostle malware, retrofitted from a data wiper into a ransomware variant, to obscure geopolitical motives.
Show sources
- Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations — www.darkreading.com — 31.03.2026 16:31
-
26.03.2026 12:45 1 articles · 2mo ago
Pay2Key report details US healthcare provider intrusion
Technical Analysis UpdateHalcyon and Beazley Security described Pay2Key, an Iranian ransomware group active since 2020, as re-emerging with enhanced evasion, execution and anti-forensics capabilities in a campaign against a US healthcare provider. The operators used TeamViewer for interactive access, harvested credentials with Mimikatz, LaZagne and ExtPassword, enumerated hosts with Advanced IP Scanner and ns.exe, pivoted through Active Directory via dsa.msc, and identified backup systems including IBackup, Barracuda Yosemite and Windows Server Backup before launching ransomware through a self-extracting 7zip archive (SFX), abc.exe. The analysis said encryption of the entire infrastructure took three hours, found no evidence of data exfiltration, and noted that a No Defender evasion toolkit was deployed and then removed.
Show sources
- Iran-Linked Pay2Key Ransomware Group Re-Emerges — www.infosecurity-magazine.com — 26.03.2026 12:45