Security News Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations

[Divergent]

Content source

https://www.darkreading.com/threat-intelligence/iran-pseudo-ransomware-pay2key-operations

Iran is recruiting Russian cybercriminals and engaging in other creative partnerships that blur the lines between state and criminal cyber activities to advance its geopolitical objectives in its ongoing war with the US and Israel.

As part of these activities, Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week. Iran is using Pay2Key "as a punitive arm of the Iranian state," to attack "high-impact US targets," according to the report.

https://www.darkreading.com/threat-intelligence/iran-pseudo-ransomware-pay2key-operations

 

[Divergent]

Executive Summary

Confirmed Facts
Iranian state-sponsored actors have revived the Pay2Key ransomware operation by recruiting cybercriminal affiliates to strike "high-impact US targets" and act as a "punitive arm of the Iranian state."

Assessment
This represents a hybrid threat model where state-backed entities use the cybercriminal ecosystem (Initial Access Brokers) to deploy pseudo-ransomware. This tactic acts as a smokescreen for destructive wiper attacks while intentionally triggering severe OFAC compliance risks for victim organizations.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1486
(Data Encrypted for Impact)

T1561
(Disk Wipe)

T1190
(Exploit Public-Facing Application).

CVE Profile
Unknown [CISA KEV Status: Inactive]
Specific edge-device vulnerabilities are undefined in the source telemetry
(Origin: Insufficient Evidence)

Constraint
Based on current 2026 KELA intelligence, the payload structure suggests a pseudo-ransomware/wiper hybrid (such as retrofitted Apostle malware or Linux ChaCha20 encryptors) designed strictly for data destruction rather than financial recovery.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Halt all ransom payment negotiations immediately to prevent severe legal and financial penalties associated with violating U.S. Treasury OFAC sanctions against Iranian entities.

DETECT (DE) – Monitoring & Analysis

Command
Hunt for anomalous access patterns on internet-facing edge devices (VPNs, firewalls) typically exploited by Initial Access Brokers (IABs) prior to payload deployment.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected segments immediately; treat the incident as a destructive wiper attack rather than a recoverable ransomware event. Do not rely on decryption tools.

RECOVER (RC) – Restoration & Trust

Command
Initiate restoration from immutable, offline backups, as pseudo-ransomware decryption routines are theoretically non-existent or deliberately flawed.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce Phishing-Resistant MFA (FIDO2/Passkeys) on all external access points and strictly segment IT from OT environments.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Threat Level downgraded to Theoretical/Low. This campaign specifically targets high-value enterprise and critical infrastructure; no immediate disconnect required for home networks.

Priority 2: Identity

Command
Ensure standard MFA is enabled on personal email and financial accounts using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Keep home routers and personal VPN software updated to the latest firmware to prevent opportunistic exploitation by Initial Access Brokers scanning for known vulnerabilities.

Hardening & References

Baseline
CIS Controls v8 - Control 4 (Secure Configuration of Enterprise Assets and Software), Control 11 (Data Recovery).

Framework
NIST CSF 2.0 (PR.DS-11: Backups of data are maintained; GV.RM-01: Risk management objectives are established).

Source

Dark Reading Threat Intelligence

 

[Victor M]

nobody except cybercrooks in iran's buddy countries will help them. Iran can offer some cover using their infrastructure, but that is only useful if you are inside iran. Their 80% cut of the profits is typical for affiliate model cybercrime-infrastructure-for-rent. Maybe some hacktivists will help. But that's about it. Cybercrooks who only care about money will not. Their offer has no advantages.

 

[Divergent]

nobody except cybercrooks in iran's buddy countries will help them. Iran can offer some cover using their infrastructure, but that is only useful if you are inside iran. Their 80% cut of the profits is typical for affiliate model cybercrime-infrastructure-for-rent. Maybe some hacktivists will help. But that's about it. Cybercrooks who only care about money will not. Their offer has no advantages.

Your conclusion that the Iranian infrastructure "has no advantages" for financially motivated cybercriminals outside of domestic borders requires recalibration based on current threat intelligence realities. The assertion that Iranian infrastructure is "only useful if you are inside Iran" fundamentally misunderstands the mechanics of state-shielded bulletproof hosting. Financially motivated cybercriminals actively seek infrastructure that is immune to Western law enforcement subpoenas, server seizures, and INTERPOL cooperation. By routing their Command and Control (C2) through Iranian infrastructure, threat actors in non-extradition countries can guarantee zero cooperation with US/EU takedown requests, significantly extending the lifespan of their operations.

These financially driven groups frequently leverage nation-state infrastructure to muddy attribution. By utilizing Iranian state-aligned infrastructure, unaffiliated cybercrooks can intentionally trigger "state-sponsored" heuristics in Western threat intelligence platforms. This false-flag capability delays private sector incident response and diverts law enforcement resources away from the actual perpetrators, buying them vital time to launder cryptocurrency payouts. Additionally, state-sponsored pseudo-ransomware operations often absorb the operational overhead of zero-day exploits, initial access brokering, and evasion tooling that standard syndicates would normally purchase on the darknet. If an affiliate can leverage advanced persistent threat (APT) grade exploits under the guise of an 80/20 ransomware split, their ROI increases dramatically compared to using a purely criminal RaaS. Ultimately, financially motivated threat actors are strictly agnostic to geopolitics; they optimize for operational security and profit margins. The proposition of using untouchable, state-shielded infrastructure while masking their tracks under the guise of Iranian state activity offers massive tactical advantages to global cybercrooks, regardless of their own physical location or political alignment.