Article Details

Iranian ransomware crew reemerges, promises big bucks for attacks on US or Israel. Tells would-be affiliates they don't need to worry because cyberattacks don't violate a cease fire. An Iranian ransomware-as-a-service operation with ties to a government-backed cyber crew has reemerged after a nearly five-year hiatus, and is offering would-be cybercriminals cash to infect organizations in the US and Israel. The malware, an updated version of 2020's Pay2Key, previously linked to Tehran's Pioneer Kitten, now uses several of the Mimic ransomware's capabilities, according to the threat research team at Morphisec, a purveyor of defensive security products. In a June 23 post screenshotted by the security firm and shared in a Tuesday report [PDF], the ransomware crew that now uses the name “Pay2Key.I2P” promised a "favorable percentage (80 percent instead of 70 percent) for anyone engaged in an attack against enemies of Iran. This is primarily Israel and the United States. Write in support." The threat researchers replied expressing mock support, gained the criminals' trust, and used the connection to collect information about Pay2Key.I2P's operations and malware. We are prepared to provide you with better terms to attack Iran's enemies without requiring confirmation in return After analyzing the gang’s updated ransomware and uncovering significant similarities between it and ELENOR-Corp., a Mimic ransomware variant, the Morphisec team concluded that "Pay2Key.I2P appears to partner with or incorporate Mimic's capabilities." Echoing the words of former NATO hacker Candan Bolukbas who previously told The Register: "In the cyber world, there's no such thing as a ceasefire," Pay2Key promised its affiliates anonymity so they could continue infecting organizations with ransomware without breaking the ceasefire: Despite the fake temporary truce issued by the frightened USA, we continue to fight…As part of the Pay2Key project, we respect our own anonymity and the privacy of our customers. We are prepared to provide you with better terms to attack Iran's enemies without requiring confirmation in return. Anonymity will allow us to operate underground without violating the terms of the so-called truce. Five-year break Researchers first identified Pay2Key ransomware in late 2020 when its masters primarily targeted Israeli companies. Alleged victims included Habana Labs, an Israel-based chip startup that Intel acquired in 2019. In December 2020, the criminals claimed on Twitter to have stolen, and threatened to leak, 53GB of data from the chipmaker. At the time, security firms Check Point and Clear Sky linked Pay2Key to the Iranian government-based threat group Pioneer Kitten (aka Fox Kitten aka). After the late 2020 attacks, the group went mostly silent until reemerging in early 2025 as a ransomware-as-a-service operation wielding Pay2Key.I2P. The "I2P" part of the name refers to I2P, an anonymous network similar to Tor, and Pay2Key is unusual in that it hosts its ransomware website on I2P instead of the more commonly used Tor-hosted leak sites. The group initially advertised for affiliates on Russian and Chinese darknet forums, and also used X to promote its evil wares. Operations shifted into high gear following Iran's military conflict with Israel and the US, and by the end of June, the criminals claimed to have made more than $4 million after securing 50 ransomware payments during its four months in business. The criminals also made significant updates to the malware, adding a build to target Linux and offering higher payout for attacks against the US and Israel. Considering its ties to both Pioneer Kitten and Mimic ransomware, plus an 80 percent profit incentive for attacks against the US and Israel, "Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime," Morphisec’s researchers wrote. The Morphisec report follows a US Homeland Security advisory last month about a "heightened threat environment in the United States" following the American airstrikes against Iranian nuclear facilities. The terrorism advisory urged American businesses to guard their networks against Iranian government-sponsored cyberattacks and "low-level" digital intrusions by pro-Iran hacktivists.