Ethical Hacking News
The Resurgence of Pay2Key Ransomware: A Decentralized Ecosystem of Cybercrime
Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS), has emerged with a new variant called Pay2Key.I2P, which has been linked to Fox Kitten and Mimic hacking groups. The new model allows developers to capture the full ransom from successful attacks, creating a decentralized ecosystem where they earn profits from attack success rather than just selling the tool. Iranian hacking groups, including MuddyWater and APT33, have been targeting transportation and manufacturing organizations in the US, with retaliation against American airstrikes on Iranian nuclear facilities possible. The threat posed by Pay2Key.I2P includes advanced, evasive ransomware that threatens Western organizations, with attackers receiving an 80% profit share for supporting Iran or participating in attacks against its enemies. Pay2Key has used various evasion techniques to run unimpeded by disabling Microsoft Defender Antivirus and deleting malicious artifacts to minimize forensic trail.
The cyber threat landscape has witnessed a resurgence of a notorious Iranian-backed ransomware-as-a-service (RaaS) known as Pay2Key, which has been linked to the Fox Kitten (also referred to as Lemon Sandstorm) hacking group and closely tied to the well-known Mimic ransomware. According to Morphisec security researcher Ilia Kulmin, Pay2Key.I2P, the latest iteration of this RaaS operation, emerged on the scene in February 2025, claiming over 51 successful ransom payouts in four months, netting it more than $4 million in ransom payments and $100,000 in profits for individual operators. This new variant of Pay2Key has been hosted on the Invisible Internet Project (I2P), a step further into Ransomware-as-a-Service operations.
Pay2Key.I2P's operational structure is different from traditional RaaS models, where developers take a cut only from selling the ransomware. Instead, this model allows them to capture the full ransom from successful attacks, only sharing a portion with the attackers who deploy it. This shift moves away from a simple tool-sale model, creating a more decentralized ecosystem, where ransomware developers earn from attack success rather than just from selling the tool.
The U.S. government has warned of retaliatory attacks by Iran after American airstrikes on three nuclear facilities in the country. Operational technology (OT) security company Nozomi Networks said it has observed Iranian hacking groups like MuddyWater, APT33, OilRig, Cyber Av3ngers, Fox Kitten, and Homeland Justice targeting transportation and manufacturing organizations in the U.S.
The findings come as Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime. According to Morphisec, this RaaS operation threatens Western organizations with advanced, evasive ransomware. The attackers who deploy it receive an 80% profit share for supporting Iran or participating in attacks against the enemies of Iran.
In contrast to its Windows counterpart, the Linux version of Pay2Key.I2P includes an option to target Linux systems. This indicates that the threat actors are actively refining and improving the locker's functionality. The Windows counterpart, on the other hand, is delivered as a Windows executable within a self-extracting (SFX) archive.
Pay2Key has used various evasion techniques that allow it to run unimpeded by disabling Microsoft Defender Antivirus and deleting malicious artifacts deployed as part of the attack to minimize forensic trail. The latest variant has been observed posting on a Russian darknet forum, where users can deploy the ransomware binary for a $20,000 payout per successful attack.
To put this into perspective, Pay2Key's emergence comes as the U.S. cybersecurity and intelligence agencies have warned of retaliatory attacks by Iran after American airstrikes on three nuclear facilities in the country. This underscores the threat posed by Iranian-backed cyberattacks against organizations worldwide.
The attack campaigns have been linked to known APT groups such as Fox Kitten and Mimic, which have a history of carrying out ransomware attacks using covert partnerships with NoEscape, RansomHouse, and BlackCat (also referred to as ALPHV) crews.
Nozomi Networks has detected 28 cyberattacks related to Iranian threat actors between May and June 2025. The company urged industrial and critical infrastructure organizations in the U.S. and abroad to be vigilant and review their security posture.
The resurgence of Pay2Key ransomware serves as a reminder that the global threat landscape is constantly evolving, with new players and tactics emerging regularly. Cybersecurity experts recommend that organizations implement robust security measures to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Resurgence-of-Pay2Key-Ransomware-A-Decentralized-Ecosystem-of-Cybercrime-ehn.shtml
https://thehackernews.com/2025/07/iranian-backed-pay2key-ransomware.html
Published: Fri Jul 11 07:07:05 2025 by llama3.2 3B Q4_K_M
