Iran-Backed Pay2Key Ransomware Makes a Comeback with Increased 80% Profit Incentive for Cybercriminals

Jul 11, 2025
Cyber Warfare / Cybercrime

The Iranian-backed ransomware-as-a-service (RaaS), Pay2Key, has reemerged amid the escalating Israel-Iran-U.S. conflict, now offering larger financial rewards to cybercriminals targeting Israel and the U.S. Operating under the new name Pay2Key.I2P, this scheme is believed to be associated with the hacking group known as Fox Kitten (also referred to as Lemon Sandstorm). According to Morphisec security researcher Ilia Kulmin, “Pay2Key.I2P appears to be affiliated with the notorious Fox Kitten APT group and shares capabilities with the well-known Mimic ransomware.” The group has officially raised its profit share for affiliates supporting Iran or conducting attacks against its adversaries to 80%, up from 70%, highlighting their ideological motivations. Last year, the U.S. government identified the advanced persistent threat’s (APT) strategy of executing ransomware attacks through covert partnerships.

Iranian-Supported Pay2Key Ransomware Emerges Again, Promising Increased Profits for Cybercriminals

July 11, 2025
Cyber Warfare / Cybercrime

The ransomware-as-a-service (RaaS) model known as Pay2Key, linked to Iranian interests, has resurfaced amid escalating tensions in the ongoing conflict between Israel, Iran, and the United States. The revamped operation, now identified as Pay2Key.I2P, is targeting entities in both Israel and the U.S., offering an increased profit share of 80% for cybercriminals who execute attacks in support of Iranian interests.

Security researchers have connected Pay2Key.I2P to the hacking group Fox Kitten, also referred to as Lemon Sandstorm. This group is notorious for its sophisticated cyber operations and is believed to leverage capabilities from the well-known Mimic ransomware. Ilia Kulmin, a researcher from Morphisec, noted that “Pay2Key.I2P appears to partner with or integrate aspects of Mimic’s infrastructure,” highlighting a strategic collaboration aimed at enhancing the potency of the ransomware’s attacks.

The recent adjustments to the service’s profit-sharing model signify a clear ideological alignment with Iranian objectives, as the group seeks to incentivize affiliates who actively support its adversarial campaigns against perceived enemies. Previously offering a profit share of 70%, the increase to 80% suggests a concerted effort to attract more participants into its ransomware ecosystem.

Last year, the U.S. government disclosed specific methodologies utilized by the advanced persistent threat (APT) actors involved in this domain. The attacks typically feature a range of tactics aimed at infiltrating target networks, which may include techniques outlined in the MITRE ATT&CK framework. Notably, initial access could be achieved through phishing campaigns, while persistence tactics may involve implanting backdoors or malicious software that remains undetected over time.

In addition to initial access and persistence, other techniques such as privilege escalation allow attackers to gain broader control over infected systems, further facilitating the execution of ransomware payloads. The evolving landscape of cybercrime, exemplified by attacks from groups like Pay2Key.I2P, underscores the importance of robust cybersecurity measures for organizations, particularly those considered potential targets in politically charged scenarios.

Business owners must remain vigilant in the face of these threats, as the intersections between geopolitics and cybercrime continue to reshape the cybersecurity landscape. Understanding the tactics and techniques employed by adversaries, alongside implementing comprehensive security protocols, is essential to mitigating the risks posed by such an intricate web of cyber threats. As the situation develops, organizations must prioritize not only technological defenses but also strategic planning to navigate this uncertain environment effectively.

Source link