Pay2Key
Pay2Key is an Iran-linked ransomware operation first observed in 2020 and repeatedly described in the provided reporting as aligned with Iranian state interests, with ties cited to Tehran, Fox Kitten/Pioneer Kitten, and broader Iran-nexus activity. It was initially noted as predominantly targeting Israeli organizations, and later reporting states it targeted organizations in the United States, Israel, Azerbaijan, and the United Arab Emirates, including a U.S. healthcare organization in late February 2026. The content also describes Pay2Key as a ransomware-as-a-service operation that re-emerged with affiliate recruitment on Russian-language cybercriminal forums and increased affiliate revenue share for attacks against Iran’s designated adversaries.
The malware is described as being based on Mimic ransomware, itself derived from the leaked Conti builder. In one investigated incident, it encrypted files with the .ywgulm_p2k extension and dropped a ransom note in Russian, English, and Spanish. Multiple reports describe delivery via a self-extracting 7z archive; one analyzed January 9, 2026 build used an outer SFX that dropped 7za.exe, Everything.exe, and a password-protected inner archive containing the encryptor, DC.exe, xdel.exe, and configuration files. The analyzed build used the internal name "payfast," while the February 2026 healthcare variant reportedly used the internal name "Cobalt." The ransom note path in the analyzed sample was C:\temp\Decrypt_files.txt, and the listed contact was ueli.maurer@onionmail.org.
On Windows, Pay2Key can encrypt victim data using hybrid cryptography. The content states it can use RSA and AES for encryption, while a detailed 2026 analysis of one build found per-file 32-byte ChaCha20 keys generated with BCryptGenRandom and protected with Curve25519 (X25519) ECDH. That build wrote encrypted per-file key records to C:\temp\session.tmp and did not exfiltrate that file; the report emphasized preserving C:\temp\session.tmp because loss of it could make future decryption impossible even if the operator’s private key were later obtained. The same analysis found support for full and intermittent encryption modes, with larger files potentially only partially encrypted, leaving substantial plaintext content in some cases. The encryptor used voidtools Everything APIs for filesystem enumeration and Windows Restart Manager APIs to unlock files before encryption, and it terminated numerous services and processes including backup, database, and monitoring components.
The content also describes a Linux variant, Pay2Key.I2, first detected in the wild in late August 2025. That variant targets organizational servers, virtualization hosts, and cloud workloads, requires root privileges, disables SELinux and AppArmor, kills services and processes, enumerates mounted filesystems via /proc/mounts, skips pseudo-filesystems and certain binaries, persists via a cron entry to resume after reboot, and uses ChaCha20 encryption with obfuscated per-file metadata. Reporting characterizes this Linux build as aimed at infrastructure-layer targets rather than desktop systems.
Operationally, Pay2Key is described as using legitimate remote access tooling such as TeamViewer for footholds, credential theft tools including Mimikatz, LaZagne, and ExtPassword, host discovery tools such as Advanced IP Scanner and NetScan, and Active Directory interaction via dsa.msc. In the February 2026 healthcare intrusion, the attackers reportedly compromised an administrative account, remained in the environment for days, harvested credentials for lateral movement, enumerated backup software including IBackup, Barracuda Yosemite, and Windows Server Backup, disabled Microsoft Defender through a "No Defender" toolkit, inhibited recovery, deployed ransomware, dropped a ransom note, and cleared activity and event logs. Researchers reported the victim environment was encrypted in about three hours and found no confirmed evidence of data exfiltration in that case.
For command and control, the content states Pay2Key has used RSA-encrypted communications with C2, sent its public key to the C2 server over TCP, and designated compromised machines as reverse-proxy pivot points to channel communications with C2. Broader reporting in the provided material characterizes the operation as combining ransomware tradecraft with espionage-linked infrastructure and, in some assessments, as potentially prioritizing disruptive or punitive impact over purely financial extortion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
В одном из изученных инцидентов атакующие также развернули в системе жертвы шифровальщик Pay2Key, основанный на вымогателе Mimic.
The disclosure comes as a U.S. healthcare organization was targeted in late February 2026 by Pay2Key, an Iranian ransomware gang with ties to the country's government. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesHalcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...
“pivoting to exploit zero-day vulnerabilities in industrial time-management software…” and “identify and exploit public-facing applications at scale.”
К посланиям прилагались «акты сверки», «претензии» и другие документы, которые на деле оказывались архивами с малварью. Иногда вложение прикреплялось напрямую...
...а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив. По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры...
Persistence
2 techniquesHalcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...
Privilege Escalation
1 techniqueStealth
3 techniquesThe content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Halcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...
Defense evasion has remained a critical phase, where threat actors employ multiple obfuscation techniques (T1140)
Defense Impairment
1 techniqueCredential Access
1 technique...TeamViewer for access, credential harvesting with Mimikatz and LaZagne...
Discovery
5 techniquesThe lineage is visible in the service and process kill lists. The encryptor terminates 60+ services and 40+ processes before encryption...
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The lineage is visible in the service and process kill lists. The encryptor terminates 60+ services and 40+ processes before encryption...
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The encryptor builds on Mimic ransomware, a Conti derivative that uses voidtools Everything for filesystem enumeration.
Collection
1 technique...and a self-extracting 7z archive that deployed the encryptor.
Command and Control
5 techniquesHalcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2"). | Examples include: "encrypts some C2 with RSA", "RSA encryption for C2 communications", "hard-coded RSA public key", "RSA-2048", "RSA-4096", and "REvil has encrypted C2 communications with the ECIES algorithm".
Exfiltration
1 technique"...it achieved some notoriety for hack-and-leak attacks on Israeli organizations."
Impact
2 techniquesВ одном из изученных инцидентов атакующие также развернули в системе жертвы шифровальщик Pay2Key, основанный на вымогателе Mimic. Вредонос шифровал файлы, добавляя к ним расширение .ywgulm_p2k...
The encryptor terminates 60+ services and 40+ processes before encryption, including: Services: AcronisAgent, BackupExecJobEngine, CAARCUpdateSvc... | The encryptor terminates 60+ services and 40+ processes before encryption, including... Processes: sqlservr, sqlagent, msaccess, mysqld, oracle, python, node, java, Raccine, Sysmon...
Other
1 techniqueIOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Шифровальщик, развернутый в системе жертвы; шифрует файлы, добавляя расширение .ywgulm_p2k, и оставляет записку с требованием выкупа на русском, английском и испанском языках.
Iran-linked ransomware used against a U.S. healthcare organization.
Iran-linked ransomware used for disruptive and strategic operations, including against a US healthcare provider.
Iran-linked ransomware-as-a-service operation used against a U.S. healthcare organization. The reported variant improved evasion, execution, and anti-forensics, used TeamViewer for foothold establishment, harvested credentials for lateral movement, disabled Microsoft Defender by spoofing third-party AV presence, inhibited recovery, deployed ransomware, dropped a ransom note, and cleared logs. A Linux variant was also observed that encrypts data with ChaCha20, stops services, kills processes, disables SELinux and AppArmor, and installs a reboot-time cron entry for persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.