Skip to content
Ransomware group

Pay2Key

Pay2Key is an Iran-linked ransomware family and ransomware-as-a-service operation first observed in 2020 and repeatedly described as aligned with Iranian state interests, with reported ties to Fox Kitten/Pioneer Kitten and links to disruptive campaigns against Israeli, U.S., and other regional targets.

Profile source: Mallory opens in a new tab

Pay2Key

Family profile

Pay2Key is an Iran-linked ransomware family and ransomware-as-a-service operation first observed in 2020 and repeatedly described as aligned with Iranian state interests, with reported ties to Fox Kitten/Pioneer Kitten and links to disruptive campaigns against Israeli, U.S., and other regional targets. Reporting in the provided content associates it with attacks on organizations in Israel, the United States, Azerbaijan, the United Arab Emirates, and Russia, including a late-February 2026 intrusion against a U.S. healthcare organization. It has also been described as targeting organizational servers, virtualization hosts, and cloud workloads via a Linux variant.

Its core capability is file encryption for extortion using strong cryptography. The content states Pay2Key can encrypt victim data using RSA and AES, while more recent technical analysis of a 2026 build describes a Mimic-based encryptor using per-file ChaCha20 keys protected with Curve25519/X25519 key exchange. The malware has been reported as based on Mimic, itself derived from the leaked Conti builder. In one observed incident it appended the .ywgulm_p2k extension and dropped ransom notes in Russian, English, and Spanish. A January 2026 sample used the internal name "payfast," while a February 2026 healthcare variant reportedly used the internal name "Cobalt."

The malware and its operators show significant emphasis on evasion, anti-forensics, and operational resilience. Multiple reports state Pay2Key has enhanced evasion, execution, and anti-forensics capabilities. Observed behavior includes clearing activity and event logs, self-deletion, and overwriting its own executable with zeros via fsutil before deleting it. In the February 2026 healthcare intrusion, operators reportedly disabled Microsoft Defender by falsely indicating a third-party antivirus product was active, inhibited recovery, and removed tooling after use. Technical analysis also notes use of the Windows Restart Manager API to unlock files, termination of numerous services and processes before encryption, and packaging in self-extracting 7z archives consistent with prior campaigns.

The content describes several intrusion and deployment patterns. In the 2026 healthcare case, attackers reportedly compromised an administrative account, remained in the environment for days, used TeamViewer for interactive access, harvested credentials with Mimikatz, LaZagne, and ExtPassword, enumerated hosts with Advanced IP Scanner and NetScan, interacted with Active Directory via dsa.msc, and then deployed the ransomware through a self-extracting archive named abc.exe. Separate reporting on Fluffy Wolf campaigns in Russia states Pay2Key was delivered through phishing emails themed as debts, reconciliation statements, or legal claims, using malicious RAR archives or GitHub-hosted downloads, alongside loaders such as PowerLoader and PureCrypter.

Pay2Key also includes command-and-control and pivoting functionality in the provided content. It has used RSA-encrypted communications with C2, sent its public key to the C2 server over TCP, and designated compromised machines as reverse-proxy pivot points to channel communications with C2.

A Linux variant, Pay2Key.I2, was first detected in the wild in late August 2025. It targets Linux infrastructure including servers, virtualization hosts, and cloud workloads; requires root privileges; disables SELinux and AppArmor; kills services and processes; enumerates mounted filesystems via /proc/mounts; persists via a cron entry to resume after reboot; and uses ChaCha20 encryption with obfuscated per-file metadata. The content also notes a hardcoded string, "DontDecompileMePlease," used in metadata handling.

Known high-confidence artifacts and indicators mentioned in the content include the ransom note path C:\temp\Decrypt_files.txt, the session key file C:\temp\session.tmp, the contact address ueli.maurer@onionmail.org, and hashes associated with a January 2026 build and its components: encryptor SHA256 2ae80e5bff8fc9055ce7dc60e59447cba6e6c3a215eea1b6de7d9cb5ae26f9e8, SFX loader SHA256 5e1ba287113770184fb51f0faed1a851d5066fa263a67a463da17601de82cb5a, encrypted payload SHA256 c45b87fff769379ebb9f4708438e208ee134692a2392a987205bfe900cceacb1, DC.exe SHA256 c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e, and xdel.exe SHA256 e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

3 named in public reporting
Fluffy Wolf

When deploying the Pay2Key ransomware, the attackers employ heavy anti-forensic techniques to cover their tracks.

n3tw0rm

Early May 2021 saw another set of disruptive ransomware attacks attributed to Iran targeting Israel from the n3tw0rm ransomware group, a newly-identified threat actor with links to the 2020 Pay2Key attacks.

Fox Kitten

The disclosure comes as a U.S. healthcare organization was targeted in late February 2026 by Pay2Key, an Iranian ransomware gang with ties to the country's government. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020.

MITRE ATT&CK

Pay2Key in ATT&CK

26 distinct techniques

Reporting

Research mentioning Pay2Key

Jun 16
Security Online Info

Fluffy Wolf Phishing Attacks Push PowerLoader Malware

When deploying the Pay2Key ransomware, the attackers employ heavy anti-forensic techniques to cover their tracks.

May 28
Xakep

Группировка Fluffy Wolf атаковала российские компании новой малварью - Хакер

В одном из изученных инцидентов атакующие также развернули в системе жертвы шифровальщик Pay2Key, основанный на вымогателе Mimic.

May 7
The Record Media

Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

A U.S. healthcare organization was targeted in late February with Iran’s Pay2Key ransomware...

May 4
Polyswarm

Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Pay2Key is an Iran-linked ransomware operation aligned with state interests.

Apr 6
The Hacker News

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

The disclosure comes as a U.S. healthcare organization was targeted in late February 2026 by Pay2Key, an Iranian ransomware gang with ties to the country's government. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020.

Mar 31
Dark Reading

Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations

Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums... Iran is using Pay2Key "as a punitive arm of the Iranian state," to attack "high-impact US targets."

Mar 26
Infosecurity Magazine

Iran-Linked Pay2Key Ransomware Group Re-Emerges - Infosecurity Magazine

Security experts have warned that an Iranian ransomware group has returned with enhanced evasion, execution and anti-forensics capabilities. Previously linked to Tehran and usually targeting victims aligned with the regime’s interests, Pay2Key has been active since 2020.

Mar 26
Derp Ca

Pay2Key encryptor: what a January 2026 build reveals | Derp

In late February, Pay2Key ransomware hit a U.S. healthcare organisation... We located an earlier Pay2Key build from January 9, 2026, packaged as a Mimic-based self-extracting archive.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.