Full Report
In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.
Analysis Summary
# Threat Actor: Pay2Key
## Attribution & Identity
* **Identification:** Iranian government-linked threat actor, characterized by the FBI, CISA, and DoD as an "information operation" aimed at impacting U.S. and Israeli infrastructure.
* **Known Aliases:** Fox Kitten, Pioneer Kitten, UNC757, Parasite, RUBIDIUM, Lemon Sandstorm.
* **Associations:** Linked to the Iranian cryptocurrency exchange **Excoino**. Recent activity indicates recruitment and affiliation with Russian-speaking threat actors to obscure national origin.
## Activity Summary
* **February 2026:** Conducted a ransomware intrusion against a U.S. healthcare organization, coinciding with rising regional tensions.
* **Mid-to-Late 2025:** Executed attack waves following missile strikes in Iran; listed the entire RaaS operation for sale on dark web forums and X (formerly Twitter).
* **July 2025:** Previous major campaign prior to the significant 2026 technical upgrades.
## Tactics, Techniques & Procedures
* **Initial Access:** Use of compromised administrative accounts (maintained for several days prior to execution).
* **Execution:** Rapid encryption of the environment (within three hours of deployment).
* **Evasion & Anti-Forensics:** Recent variants show significant upgrades in evasion techniques and forensic awareness compared to 2025 versions.
* **Credential Harvesting:** Use of Mimikatz, LaZagne (AIO/x86), and custom scripts to export credentials to flat files (e.g., `Passwords.txt`, `Users.txt`).
* **Persistence:** Establishing startup items (e.g., `browser.exe`) and utilizing PowerShell scripts (`task.ps1`).
* **Anomalous Behavior:** Departure from the standard double-extortion playbook in the latest incident by not exfiltrating data, suggesting a primary goal of disruption/sabotage rather than profit.
## Targeting
* **Sectors:** Healthcare, Cyber Infrastructure, National Defense.
* **Geography:** Primarily United States and Israel (Western-aligned organizations).
* **Victims:** A U.S. healthcare organization (February 2026 intrusion).
## Tools & Infrastructure
* **Malware:**
* **Pay2Key Ransomware:** Custom locker; recent variants use `browser.exe` as the encryption payload.
* **Utilities:**
* `NS.exe` (Netscan) / `tshell.exe` (text-only shell) for network discovery.
* `Everything.db` for file indexing.
* `mimikatz.exe`, `ExtPassword.exe`, and `LaZagne` for credential harvesting.
* **Infrastructure:**
* Ransomware-as-a-Service (RaaS) model with an 80% profit-sharing program.
* Historically linked to Iranian National ID-verified accounts on Excoino.
## Implications
Pay2Key acts as a hybrid threat—a state-aligned proxy that utilizes the veneer of a criminal ransomware group to conduct geopolitically motivated sabotage. The shift away from data exfiltration toward pure encryption suggests that during times of high tension, their objective is "information operations" and disruption rather than financial gain. The potential sale of their source code in 2025 introduces the risk of "leakage," where other actors may now be using Pay2Key’s upgraded tooling.
## Mitigations
* **Identity Security:** Implement Multi-Factor Authentication (MFA) on all administrative accounts to prevent the lateral movement observed in the healthcare intrusion.
* **Endpoint Protection:** Deploy EDR/XDR solutions capable of detecting credential harvesting tools like Mimikatz and LaZagne.
* **Backup Integrity:** Maintain offline, immutable backups to ensure recovery from rapid (3-hour) encryption events.
* **Audit Persistence:** Monitor for unusual startup items (e.g., `browser.exe` in non-standard paths) and unauthorized PowerShell execution (`task.ps1`).