Pay2Key ransomware campaign accelerated by US-Iran tensions
Campaign
Summary
Hide ▲
Show ▼
Pay2Key's ransomware operation appears to have accelerated amid recent US-Iran tensions, indicating an active campaign with broader victimization risk. The group has been active since 2020 and has received more than $8m in ransom payments linked to 170 victims since July 2025. Its intrusion pattern includes interactive access, credential harvesting, lateral movement, and rapid ransomware deployment.
Related Happenings
Manufacturing companies face a 2026 ransomware targeting surge
Target Trend
First: 14.05.2026 15:00
Last: 14.05.2026 15:00
Sources 1
About this happening:
**Manufacturing companies** are facing a **2026 ransomware targeting surge**, with aggregated counts reaching **600 attacks** and **55 confirmed victims**, signaling sustained pre...
Manufacturing companies face a 2026 ransomware targeting surge
Target TrendAbout this happening: **Manufacturing companies** are facing a **2026 ransomware targeting surge**, with aggregated counts reaching **600 attacks** and **55 confirmed victims**, signaling sustained pre...
Foxconn hit by ransomware attack
Incident
First: 13.05.2026 15:49
Last: 13.05.2026 15:49
Sources 1
About this happening:
**Foxconn** confirmed that **some North American factories** suffered a **cyberattack**, disrupting manufacturing operations and forcing a recovery effort to keep production and d...
Foxconn hit by ransomware attack
IncidentAbout this happening: **Foxconn** confirmed that **some North American factories** suffered a **cyberattack**, disrupting manufacturing operations and forcing a recovery effort to keep production and d...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor Meta
First: 28.04.2026 16:00
Last: 28.04.2026 16:00
Sources 1
About this happening:
**0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor MetaAbout this happening: **0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Timeline
-
26.03.2026 12:45 2 articles · 2mo ago
Pay2Key re-emerges with enhanced evasion and rapid ransomware execution
Initial DisclosureA Halcyon and Beazley Security report says the Iranian-linked Pay2Key ransomware group, active since 2020, re-emerged with enhanced evasion, execution and anti-forensics capabilities, and that recent US-Iran tensions appear to have accelerated activity against a US healthcare provider. The report says the actors used TeamViewer for interactive access, harvested credentials with Mimikatz, LaZagne, and ExtPassword, enumerated hosts with Advanced IP Scanner and ns.exe, pivoted through Active Directory with dsa.msc, checked backup systems including IBackup, Barracuda Yosemite, and Windows Server Backup, and executed ransomware through a self-extracting 7zip archive (SFX), abc.exe. The victim environment was encrypted in three hours, no data exfiltration was observed, and the broader Pay2Key operation had received more than $8m in ransom payments linked to 170 victims since July 2025.
Show sources
- Iran-Linked Pay2Key Ransomware Group Re-Emerges — www.infosecurity-magazine.com — 26.03.2026 12:45
- Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations — www.darkreading.com — 31.03.2026 16:31