This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter.
An Iran-linked ransomware group targeted an unnamed U.S. healthcare provider in the lead-up to the Iran war, according to a report Tuesday from Halcyon.
Tracked under the name Pay2Key, the group gained access to a compromised administrative account for several days and then encrypted the account.
Forensics investigators, which included Halcyon and Beazley Security, found no evidence that data was stolen. This marks a departure from the group’s previous attacks. Researchers suggest the attacker may have changed tactics to focus more on destruction rather than pure extortion.
Also, the threat group appears to have shifted its attention toward the U.S. after historically targeting Israeli systems.
“The attack was notable for its use of stealthy encryption without data exfiltration,” Johnny Collins, director of intelligence operations at Halcyon, told Cybersecurity Dive. “Pay2Key has not been dormant but has actively shifted to targeting U.S. organizations.”
Following the launch of the American-Israeli bombing campaign in late February, Iran-linked actors have stepped up actions against U.S., Israeli and other Middle Eastern targets.
A cyberattack this month by a state-linked group called Handala temporarily disrupted ordering, manufacturing and product shipments at Stryker, a large U.S.-based medical technology manufacturer.
Pay2Key first emerged in 2020, when Check Point Research and a blockchain intelligence firm called Whitestream uncovered a wave of ransomware attacks against Israeli firms using a previously unknown strain.
Most of the ransomware payments moved through an Iranian firm called Excoino, which required an Iranian national ID in order to register, according to Halcyon.
By 2024, the FBI, Cybersecurity and Infrastructure Security Agency and the Department of Defense issued a joint advisory on the group, which is also tracked under the name Fox Kitten.
The group targeted a variety of U.S. organizations, including schools, defense industry firms, healthcare providers and municipal governments. The group often collaborated with ransomware groups after gaining access to targeted sites, sharing more than 70% of proceeds.
In 2025, Pay2Key launched an aggressive campaign on Russian cybercrime forums, with offers to sell its infrastructure. The group was very active during a period surrounding the 12-day bombing campaign by the U.S. and Israel in 2025.
“While Pay2Key was previously associated with Iranian operations, since the beginning of 2025 it has been promoted as a ransomware-as-a-service offering on Russian underground forums,” Sergey Shykevich, threat intelligence group manager at Check Point Research, told Cybersecurity Dive. “Currently, we do not have clear indications linking its activity to Iran.”
Researchers from Morphisec tracked a four-month stretch where the group collected about $4 million from 51 ransoms.
