An Iranian government-linked ransomware group known as Pay2Key attacked an unnamed U.S. healthcare organization in late February, locking down the institution’s systems within three hours while stealing no data and issuing no ransom demand, according to a report published by Halcyon Ransomware Research Center.
🚨 #Breaking Newz Alert 🚨
“Iranian State-Backed Hackers Deploy Pay2Key Ransomware Against U.S. Healthcare Organization”
➡️ New reports from Tuesday, March 24, 2026, confirm that an unnamed U.S. healthcare group was hit in late February by the Iranian Pay2Key ransomware gang.
➡️… pic.twitter.com/1Sfqi36EQp— BreakinNewz (@BreakinNewz01) March 24, 2026
Beazley Security handled the initial response before calling in Halcyon researchers to examine the malware. Investigators found the attackers had compromised an administrator’s account on the victim’s network several days before deploying the ransomware, then cleared event logs to erase all traces of their activity after encryption completed.
The absence of a data theft attempt and a ransom demand are significant departures from Pay2Key’s documented pattern. U.S. intelligence agencies previously assessed the group’s attacks as primarily conducted for information theft.
Halcyon said Pay2Key “does not always appear to prioritize extortion and financial gain over the destruction of victim environments for strategic impact.”
“This pattern suggests motivations that extend well beyond typical financially driven ransomware operations,” Halcyon researchers said.
Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center and a former deputy assistant director in the FBI’s Cyber Division, said the attack’s timing, concurrent with the start of military conflict between the U.S. and Iran, complicates any straightforward read of intent.
“Is the group just seeking to maximize money among chaos? This is a group that does work on behalf of the government, but not always,” Kaiser said.
The Halcyon report also documents Pay2Key’s parallel effort to build a commercial criminal operation. The group marketed itself on Russian cybercriminal forums beginning in the summer of 2025, raised affiliate cuts from 70% to 80%, and at one point offered the entire ransomware-as-a-service (RaaS) platform for sale at 0.15 BTC.
Cybersecurity firm Morphisec tracked 51 ransom payments to the group over a four-month stretch that summer, totaling roughly $4 million. The group has since logged 170 victims and $8 million in total ransom payments.
Halcyon noted the group’s ties to Russian criminal networks raise “unresolved questions about the current ownership, operational control, and future trajectory of the group’s RaaS platform.” Kaiser said the sale offer was likely a smokescreen, given Pay2Key’s continued role in Iranian kinetic operations.
The healthcare attack preceded a separate incident at Stryker, a U.S. medical device company, in which an Iranian group known as Handala wiped approximately 200,000 devices. The FBI attributed that operation to Iranian intelligence.
Iranian hackers say they wiped 200,000 devices at US medical company $SYK Stryker, forcing closure of offices
An Iran-linked hacking group (Handala) claimed it had extracted 50 terabytes of data in retaliation for military strikes (girl’s school)https://t.co/3rBs2odYqD pic.twitter.com/nBR5o3Wrca
— Special Situations 🌐 Research Newsletter (Jay) (@SpecialSitsNews) March 11, 2026
“Some attacks may have more limited impact, and so there isn’t going to be as much publicity around that, but you have to assume that Iran is looking for targets, seeking out what they can do,” Kaiser said. “And my assumption is that it’s a combination of wiper attacks, ransomware attacks, and attempting to target critical infrastructure through unpatched vulnerabilities.”
