← Back to Newsroom

Pay2Key ransomware returns: Iranian-linked group targets financial and energy sectors in new wave

23 July 20252 min read

Ransomware

A familiar adversary, a refined playbook

The Pay2Key ransomware group, previously linked to Iran’s cyber operations, is back — this time with a faster, quieter, and more targeted campaign.

According to multiple threat intel sources and forensic reports, Pay2Key is leveraging new backdoor variants, faster encryption routines, and improved anti-forensic techniques to breach organizations in the financial and energy sectors across Europe and the Middle East.

This resurgence appears to be part of a broader coordinated campaign attributed to state-aligned actors, focused on disruption and data exfiltration — not just extortion.

What’s new in the 2025 wave?

Pay2Key’s TTPs have evolved significantly since their first wave of activity in 2020–2021. Here’s what’s been observed:

  • Initial access: Exploiting known vulnerabilities in VPN appliances, RDP endpoints, and unpatched web servers
  • Backdoor: Deployment of new variants of “FoxShell”, a lightweight command-and-control framework with embedded tunneling
  • Lateral movement: Leveraging legitimate tools like PsExec, WMI, and AD enumeration scripts to maintain stealth
  • Encryption: Quicker file-locking with selective targeting (finance systems, SAP databases, ESXi infrastructure)
  • Data exfiltration: Evidence of staged data dumps — suggesting that theft, not ransom, may be the long-term objective

In multiple cases, ransom notes were never delivered, or served only as a cover for deeper intrusions.

What we’ve seen

In a recent incident response for a Tier 1 supplier in the energy sector, Cyber Protocol analysts traced a Pay2Key-style intrusion that used:

  • A compromised third-party VPN account
  • FoxShell beaconing disguised as Git traffic
  • A hardcoded exfil endpoint mapped to an IP previously tied to APT39 (Charming Kitten)
  • No ransom demand — only quiet file access and selective data packaging

These kinds of “quiet” ransomware operations are increasingly being used as cover for espionage or disruption-as-a-service campaigns.

What you should do now

Pay2Key-style attacks are fast-moving and strategically disruptive. Organizations in critical sectors should:

  1. Patch externally exposed infrastructure immediately Prioritize VPN, Citrix, SharePoint, and RDP endpoints.
  2. Harden lateral movement pathways Disable legacy protocols (e.g., SMBv1), enforce segmentation, and restrict service account privileges.
  3. Hunt for FoxShell indicators Look for abnormal traffic in outbound Git/TLS sessions, and inspect for encoded PowerShell execution in logs.
  4. Implement egress filtering and DLP rules The exfil pattern is highly structured — blocking outbound to known IPs is no longer enough.
  5. Run internal incident simulation drills Especially those that simulate no-ransom detection paths — many attacks are missed because there’s no extortion note.
← Back to Newsroom