Iranian-Linked Pay2Key Ransomware Targets U.S. Healthcare Organization Amid Rising Cyber Conflict
In late February, an unnamed U.S. healthcare organization fell victim to a ransomware attack by Pay2Key, a strain linked to Iranian state-affiliated cyber actors. The incident, investigated by Beazley Security and Halcyon Ransomware Research Center, revealed significant upgrades to the ransomware, making it harder to detect and more destructive.
Unlike typical financially motivated attacks, this intrusion showed no evidence of data exfiltration a departure from previous Pay2Key operations, which U.S. intelligence agencies had tied to espionage. Researchers noted the group’s activity surged following recent U.S.-Iran military tensions, suggesting motivations beyond profit, including strategic disruption.
The attackers compromised an administrative account days before deploying the ransomware, then attempted to erase logs to cover their tracks. Cynthia Kaiser, Halcyon’s senior vice president and former FBI Cyber Division official, questioned whether the attack was timed to exploit geopolitical chaos, emphasizing the group’s dual role as both a state-aligned actor and a ransomware-as-a-service (RaaS) operator.
Pay2Key has undergone significant shifts in recent months. In mid-2025, the group marketed itself on Russian cybercriminal forums, briefly offering to sell its operations for 0.15 BTC while recruiting affiliates with an 80% ransom split up from 70%. Despite internal upheaval, the group remains active, with Morphisec tracking $4 million in ransom payments over four months and a total of $8 million from 170 victims since then.
First identified in 2020, Pay2Key has targeted organizations in the U.S., Israel, Azerbaijan, and the UAE, with ransom payments traced to Excoino, an Iranian cryptocurrency exchange requiring national ID verification. A 2024 U.S. advisory highlighted its coordination with other ransomware gangs, reinforcing its ties to Iranian government operations.
The healthcare attack preceded a high-profile wiper attack on Stryker, a U.S. medical device company, claimed by the Iranian group Handala, which wiped 200,000 devices. Kaiser warned that unreported Iranian cyberattacks are likely ongoing, with a mix of ransomware, wiper malware, and critical infrastructure targeting expected as tensions persist.
Source: https://therecord.media/iran-linked-ransomware-gang-targeted-us-healthcare-org
Stryker cybersecurity rating report: https://www.rankiteo.com/company/stryker
"id": "STR1774369485",
"linkid": "stryker",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'Healthcare',
'location': 'United States',
'name': 'Unnamed U.S. healthcare organization',
'type': 'Healthcare'}],
'attack_vector': 'Compromised administrative account',
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'No evidence of data exfiltration'},
'date_detected': '2025-02',
'description': 'In late February, an unnamed U.S. healthcare organization '
'fell victim to a ransomware attack by Pay2Key, a strain '
'linked to Iranian state-affiliated cyber actors. The incident '
'revealed significant upgrades to the ransomware, making it '
'harder to detect and more destructive. The attack showed no '
'evidence of data exfiltration, a departure from previous '
'Pay2Key operations, and was potentially timed to exploit '
'geopolitical tensions.',
'impact': {'operational_impact': 'Disruption of healthcare services'},
'initial_access_broker': {'entry_point': 'Compromised administrative account',
'reconnaissance_period': 'Days before ransomware '
'deployment'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The attack highlights the dual role of state-aligned '
'ransomware groups in both financial extortion and '
'geopolitical disruption. Organizations must account for '
'evolving tactics, including log erasure and timing '
'attacks to exploit chaos.',
'motivation': ['Strategic disruption', 'Geopolitical tensions'],
'post_incident_analysis': {'corrective_actions': ['Improve administrative '
'account security',
'Enhance detection for '
'ransomware upgrades',
'Monitor for geopolitically '
'motivated attacks'],
'root_causes': ['Compromised administrative '
'account',
'Lack of detection for upgraded '
'ransomware strain',
'Geopolitical timing to exploit '
'chaos']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'No evidence of data exfiltration',
'ransomware_strain': 'Pay2Key'},
'recommendations': ['Enhance monitoring for administrative account '
'compromises',
'Prepare for ransomware attacks with no data exfiltration '
'but destructive encryption',
'Account for geopolitical risks in cybersecurity planning',
'Collaborate with third-party threat intelligence '
'providers'],
'references': [{'source': 'Beazley Security and Halcyon Ransomware Research '
'Center'},
{'source': 'Morphisec'},
{'source': 'U.S. intelligence agencies'},
{'source': '2024 U.S. advisory on Pay2Key'}],
'response': {'third_party_assistance': ['Beazley Security',
'Halcyon Ransomware Research Center']},
'stakeholder_advisories': 'Cynthia Kaiser (Halcyon) warned of unreported '
'Iranian cyberattacks and the mix of ransomware, '
'wiper malware, and critical infrastructure '
'targeting.',
'threat_actor': 'Pay2Key (Iranian state-affiliated cyber actors)',
'title': 'Iranian-Linked Pay2Key Ransomware Targets U.S. Healthcare '
'Organization',
'type': 'Ransomware'}