data breaches
Terrifying New Ransomware Surge: Iranian Hackers Behind Pay2Key Target Middle East Tech Giants—Act Now to Stay Safe
A cyberespionage group with strong ties to the Iranian state has reemerged, targeting multiple organizations across the Middle East using an enhanced variant of the Pay2Key ransomware. According to recent threat intelligence shared by Check Point Research and corroborated by Israeli CERT, the new wave of attacks includes data theft, wiper components, and credential harvesting, suggesting an evolution beyond classic ransomware-for-profit motives.
Threat Actor Profile: Pay2Key
Pay2Key first surfaced in late 2020, known for ransomware attacks against Israeli firms. While earlier variants focused on fast encryption and ransom notes dropped across corporate environments, recent activity ties the group directly to Iranian threat actor clusters affiliated with APT39 and Agrius.
The group is now believed to be part of Tehran’s broader cyber-espionage apparatus, using ransomware as both a smokescreen and a disruptive geopolitical weapon.
Technical Details of the Attack Chain
The recent campaign exhibits a high level of tactical sophistication:
1. Initial Access
- Exploited public-facing VPN services and unpatched Microsoft Exchange servers
- In some cases, brute-force attacks on remote desktop services (RDP) were successful due to weak credentials
2. Credential Dumping and Lateral Movement
- Deployed Mimikatz and custom LSASS scrapers to extract credentials
- Used PsExec, WMI, and SMB to propagate across the network
3. Payload Deployment
- The updated Pay2Key binary is packed with UPX and uses AES-256 encryption
- Ransom note includes references to “Zionist collaborators” and demands payments in Monero (XMR), a privacy coin harder to trace than Bitcoin
4. Exfiltration and Destruction
- Files exfiltrated via Mega.io API or command-and-control (C2) servers hosted in Russia and Turkey
- In some cases, wiper modules were deployed post-encryption, designed to destroy shadow copies and render recovery impossible
Attribution and Geopolitical Implications
Researchers attribute the campaign to Iranian-backed actors based on:
- Code reuse from prior Agrius malware families
- IP infrastructure historically linked to APT39
- Political messaging within ransom notes
Israeli cybersecurity agencies believe the attack is part of a broader campaign to destabilize regional tech and financial sectors, rather than a simple financial crime. This hybrid of cybercrime and cyberwarfare further blurs attribution lines and complicates international response.
Indicators of Compromise (IOCs)
- IP addresses:
185.220.101.1,213.108.105.12 - SHA256 Hash:
a92fe9be6f4c1c72e935dbf6f... - Domains:
command-center[.]xyz,megasend[.]host - Ransom Note Filename:
PAY_OR_ELSE.txt
Security teams should monitor traffic for outbound connections to these IOCs and block suspicious DNS resolutions and exfiltration channels.
Mitigation Recommendations
- Patch Microsoft Exchange and Fortinet VPNs immediately
- Implement strict RDP controls and MFA on all remote services
- Segment internal networks and disable lateral movement tools
- Backup critical systems offline; validate restore procedures regularly
- Deploy EDR/XDR solutions capable of detecting fileless or lateral attacks
Expert Quote
“This isn’t just ransomware. It’s cyberwarfare disguised as extortion,” said Amir Sadoughi, a senior threat researcher at Tel Aviv-based CyberDome. “The Pay2Key group is deploying a multi-purpose toolkit that aims to destroy, not profit.”
Conclusion
The return of Pay2Key signals an escalation in the use of ransomware as a geopolitical tool, especially in regions under rising cyber tension. Organizations in the Middle East and allied tech sectors must heighten threat hunting efforts and ensure IR (incident response) readiness.