Pay2Key Ransomware Expands to Linux, Targeting Enterprise and Cloud Infrastructure
The Linux-focused ransomware strain Pay2Key, previously known for Windows-based attacks on Israeli and Brazilian organizations, has evolved into a ransomware-as-a-service (RaaS) operation with explicit support for Linux environments. Recent research reveals that its latest builders now include Linux payload options, enabling affiliates to generate customized encryptors for Linux servers, VMware ESXi hypervisors, and cloud workloads aligning with a broader trend of ransomware targeting high-value infrastructure.
Linked to Iranian-backed threat actors, Pay2Key has shifted from on-premises corporate networks to financial systems, SAP databases, and virtualization platforms. Its RaaS model expands the pool of attackers capable of compromising critical enterprise assets.
Technical Execution
The Linux variant operates via a configuration-driven binary requiring root privileges. Key features include:
- Fine-grained targeting via JSON configurations, specifying paths, file types, and mount classes for encryption.
- Pre-encryption sabotage, including stopping services, killing processes, and disabling SELinux/AppArmor to evade detection.
- Persistence mechanisms, such as cron jobs that ensure encryption resumes after reboots.
- Selective encryption, skipping ELF/MZ binaries and zero-length files to avoid system crashes while maximizing damage to business data.
- ChaCha20 encryption (full or partial modes), with per-file keys stored in obfuscated metadata to hinder recovery.
Impact on Enterprise and Cloud Systems
Pay2Key’s Linux variant is optimized for application servers, virtualization hosts, and cloud storage, with a particular focus on ESXi infrastructure. A single compromised hypervisor can trigger cascading outages across dozens or hundreds of guest VMs. Attackers also prioritize financial applications and databases, amplifying operational disruption and ransom leverage.
Cloud and DevOps environments are increasingly at risk, as threat actors exploit misconfigurations, over-privileged service accounts, and CI/CD pipeline gaps to deploy ransomware in Kubernetes clusters and containerized workloads. Traditional EDR and signature-based defenses often fail to detect in-memory or script-driven attacks, leaving defenders with minimal response windows once root access is gained.
The evolution of Pay2Key underscores that Linux is now a primary ransomware target, requiring organizations to implement strict access controls, least-privilege policies, and purpose-built detection mechanisms to mitigate risks.
Source: https://gbhackers.com/linux-ransomware-pay2key/
VMware vDefend cybersecurity rating report: https://www.rankiteo.com/company/vmware-vdefend
Countermeasures Group cybersecurity rating report: https://www.rankiteo.com/company/countermeasures-group
"id": "VMWCOU1774441709",
"linkid": "vmware-vdefend, countermeasures-group",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Financial',
'Technology',
'Virtualization'],
'location': ['Israel', 'Brazil'],
'type': ['Enterprise',
'Cloud infrastructure providers']}],
'attack_vector': ['Misconfigurations',
'Over-privileged service accounts',
'CI/CD pipeline gaps'],
'data_breach': {'data_encryption': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Business data',
'Financial data',
'Database records']},
'description': 'The Linux-focused ransomware strain Pay2Key, previously known '
'for Windows-based attacks on Israeli and Brazilian '
'organizations, has evolved into a ransomware-as-a-service '
'(RaaS) operation with explicit support for Linux '
'environments. Recent research reveals that its latest '
'builders now include Linux payload options, enabling '
'affiliates to generate customized encryptors for Linux '
'servers, VMware ESXi hypervisors, and cloud workloads. Linked '
'to Iranian-backed threat actors, Pay2Key has shifted from '
'on-premises corporate networks to financial systems, SAP '
'databases, and virtualization platforms. Its RaaS model '
'expands the pool of attackers capable of compromising '
'critical enterprise assets.',
'impact': {'data_compromised': True,
'downtime': True,
'operational_impact': 'Cascading outages across dozens or hundreds '
'of guest VMs, disruption of financial '
'applications and databases',
'systems_affected': ['Linux servers',
'VMware ESXi hypervisors',
'Cloud workloads',
'Financial systems',
'SAP databases',
'Virtualization platforms']},
'initial_access_broker': {'high_value_targets': ['Financial systems',
'SAP databases',
'Virtualization platforms']},
'lessons_learned': 'Linux is now a primary ransomware target, requiring '
'organizations to implement strict access controls, '
'least-privilege policies, and purpose-built detection '
'mechanisms to mitigate risks.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Strict access controls',
'Least-privilege policies',
'Purpose-built detection '
'mechanisms'],
'root_causes': ['Misconfigurations',
'Over-privileged service accounts',
'CI/CD pipeline gaps']},
'ransomware': {'data_encryption': True, 'ransomware_strain': 'Pay2Key'},
'recommendations': ['Implement strict access controls',
'Enforce least-privilege policies',
'Deploy purpose-built detection mechanisms for Linux '
'environments',
'Secure CI/CD pipelines',
'Monitor for misconfigurations and over-privileged '
'service accounts'],
'references': [{'source': 'Research report'}],
'threat_actor': 'Iranian-backed threat actors',
'title': 'Pay2Key Ransomware Expands to Linux, Targeting Enterprise and Cloud '
'Infrastructure',
'type': 'Ransomware'}