# Iran-Linked APTs Deploy 'Pseudo-Ransomware' in Revived Pay2Key Campaign Against US Organizations
Iranian threat actors are blurring the line between state-sponsored espionage and cybercriminal extortion, deploying ransomware-like tactics without encryption to pressure high-value US targets into paying ransom demands.
## The Threat
Iranian Advanced Persistent Threat (APT) groups have resumed operations under the Pay2Key banner, adopting a novel approach they've dubbed "pseudo-ransomware"—malicious activity that mimics traditional ransomware behavior but abandons the actual encryption of victim data. Instead, attackers are threatening to publicly release sensitive information and disrupt operations, effectively weaponizing data theft as their primary leverage mechanism.
This tactic represents a significant shift in Iranian cyber operations, moving away from pure data exfiltration toward aggressive extortion campaigns targeting critical infrastructure, financial institutions, and Fortune 500 companies across the United States. The approach eliminates the technical overhead of encryption while maintaining the psychological pressure and financial impact on victims.
"The rebranding and tactical evolution of these campaigns demonstrates Iran's willingness to adopt profitable cybercriminal techniques alongside traditional state-sponsored objectives," according to cybersecurity analysts tracking the activity. The campaigns have already impacted multiple high-profile US organizations, with attackers demanding six and seven-figure ransom payments.
## Background and Context: Pay2Key's Evolution
Pay2Key first emerged in 2020 as a financially motivated threat group, initially attributed to independent cybercriminals. The group specialized in targeting Israeli financial institutions and critical infrastructure before expanding operations to include organizations across North America and Europe. Early Pay2Key campaigns focused on data theft, selling compromised information on darknet markets and conducting extortion operations.
By 2021, cybersecurity researchers at Checkpoint and other firms began connecting Pay2Key operations to Iranian state infrastructure, identifying overlapping command-and-control (C2) servers, shared tools, and operational patterns consistent with known Iranian APT groups. The evidence suggested state actors had either recruited the group, taken over their operations, or were operating under the Pay2Key banner as a front for deniable activity.
Key timeline of evolution:
| Year | Activity | Notable Targets |
|------|----------|-----------------|
| 2020 | Group emergence, Israeli financial focus | Banks, exchanges |
| 2021 | Attribution to Iranian infrastructure | North American expansion |
| 2022 | Dormancy period | (minimal activity) |
| 2025-2026 | Pseudo-ransomware campaigns resume | US critical infrastructure, Fortune 500 |
The group's dormancy from 2022 through 2024 led security researchers to believe the operation had been dismantled or deprioritized. The current resurgence suggests Iranian cyber operations have refined their approach, combining the profitability of criminal extortion with the reach and resources of state-sponsored actors.
## Technical Details: How Pseudo-Ransomware Works
The current Pay2Key campaigns employ a multi-stage attack methodology that diverges sharply from traditional ransomware tactics:
Stage 1: Initial Access
Attackers gain entry through phishing campaigns, compromised credentials obtained from previous breaches, and exploitation of unpatched vulnerabilities in edge devices—particularly VPNs, firewalls, and remote desktop services. Targeted spear-phishing emails leverage legitimate business contexts and social engineering to bypass user awareness training.
Stage 2: Persistence and Reconnaissance
Once inside networks, attackers establish persistent backdoors using legitimate administrative tools (Living off the Land techniques) and conduct extensive reconnaissance to identify:
Stage 3: Data Exfiltration
Rather than deploying encryption payloads, attackers focus entirely on stealing sensitive data, often leveraging cloud storage services and legitimate file transfer mechanisms to avoid detection. Exfiltration can take weeks or months, depending on data volume and network monitoring.
Stage 4: Extortion Without Encryption
Attackers send ransom demands accompanied by proof of access—sample files, screenshots of sensitive data, or system information—without deploying any encryption. This eliminates the technical barriers to recovery (decryption keys) while maintaining pressure through:
Why pseudo-ransomware is effective:
## Implications for Organizations
The resurgence of Pay2Key operations under this new model carries significant consequences:
Financial Impact
Organizations face direct ransom demands (often $1-7 million) without the ability to recover encrypted systems through backups—a common recovery path from traditional ransomware. Additionally, regulatory fines, incident response costs, and reputational damage compound the financial burden.
Geopolitical Considerations
The Iranian government's apparent shift toward profitable cybercriminal tactics suggests a strategic evolution: using criminal operations to generate revenue while maintaining plausible deniability and testing attack methodologies on high-value targets. This blurs traditional boundaries between statecraft and criminality, complicating attribution and response.
Sectoral Targeting
Pay2Key campaigns disproportionately target:
Operational Risk
Beyond data theft and extortion, prolonged attacker presence inside networks creates risks of:
## Recommendations
For Security Teams:
1. Threat Hunting: Implement active hunting for tools and indicators associated with Pay2Key campaigns, including known C2 infrastructure and credential harvesting patterns.
2. Segmentation: Isolate critical data repositories and financial systems behind zero-trust network architectures. Assume breach conditions and segment accordingly.
3. Extended Detection and Response (XDR): Deploy comprehensive monitoring across endpoints, networks, and cloud environments to detect lateral movement and data exfiltration patterns.
4. Backup Strategy: Maintain offline, immutable backups disconnected from production networks—though note these may not assist with extortion scenarios.
For Organizations:
1. Incident Response Planning: Develop clear protocols for data theft extortion scenarios, including legal, communications, and law enforcement notification procedures.
2. Regulatory Engagement: Notify relevant authorities (CISA, FBI, relevant sector ISACs) immediately upon discovery of Pay2Key activity.
3. Credential Management: Enforce multi-factor authentication (MFA) organization-wide, prioritize VPN and remote access hardening, and rotate credentials regularly.
4. Intelligence Sharing: Participate in information sharing communities focused on Iranian cyber threats and Pay2Key indicators of compromise.
For Policymakers:
Coordinate with international partners on attribution and consequences for Iranian cyber operations masquerading as criminal activity. The use of cybercriminal fronts as a revenue and testing ground for state-sponsored capabilities represents an escalation requiring coordinated response.
---
The resurgence of Pay2Key operations marks a new chapter in the intersection of state-sponsored espionage and cybercriminal activity. Organizations must assume Iranian APTs will continue refining these techniques, prioritizing preparedness, detection, and rapid response as essential defensive measures.