Iran recruits Russian cybercriminals to scale Pay2Key's state-backed ransomware model
Threat Actor Meta
Summary
Hide ▲
Show ▼
Iran is recruiting Russian cybercriminals to expand Pay2Key as a state-backed ransomware arm, increasing hybrid offensive capacity against US and Israeli targets. The model blurs state-crime boundaries by pairing geopolitical tasking with criminal affiliate incentives, making attribution and response more difficult. It also raises the risk of sanctions exposure when extortion proceeds or collaborators are tied to state-linked entities.
Related Happenings
Pay2Key ransomware campaign accelerated by US-Iran tensions
Campaign
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
How related:
As part of these activities, Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week.
About this happening:
Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware campaign accelerated by US-Iran tensions
CampaignHow related: As part of these activities, Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week.
About this happening: Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware Activity
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
How related:
Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week.
About this happening:
**Pay2Key** has re-emerged as a **ransomware** threat with enhanced **evasion, execution and anti-forensics** capabilities, increasing the difficulty of detection and response. Th...
Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware ActivityHow related: Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week.
About this happening: **Pay2Key** has re-emerged as a **ransomware** threat with enhanced **evasion, execution and anti-forensics** capabilities, increasing the difficulty of detection and response. Th...
Latest development: 31.03.2026 16:31
Iran has revived Pay2Key by recruiting affiliates from Russian cybercriminal forums and positioning the ransomware operation as a punitive arm of the Iranian state against high-impact US targets. KELA says the activity blends ransomware, pseudo-ransomware, and destructive wiper-like behavior, and that Iran-backed APT Agrius is also using Apostle malware, retrofitted from a data wiper into a ransomware variant, to obscure geopolitical motives.
Timeline
-
31.03.2026 16:31 2 articles · 1mo ago
Iran revives Pay2Key with Russian affiliates and pseudo-ransomware
Initial DisclosureIran recruits Russian cybercriminals to expand Pay2Key as a state-backed ransomware arm aimed at high-impact US targets and other US and Israeli interests, while pseudo-ransomware tactics use encryption to mask destructive wiper-like activity. The blended model increases attribution confusion, business disruption, and sanctions exposure if ransom payments reach state-linked entities.
Show sources
- Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations — www.darkreading.com — 31.03.2026 16:31
- Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations — www.darkreading.com — 31.03.2026 16:31