Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Pay2Key

0
Global rank
0
Month rank
0
Week rank
0
IOCs

Pay2Key is a ransomware strain primarily written in C++ for Windows (with recent Linux variants), attributed to Iranian-linked actors, notably the Fox Kitten APT group (also known as UNC757 or related operations). First observed in late 2020, it employs double-extortion tactics (encrypting files and threatening to leak stolen data) while showing signs of both financial and state-aligned motivations. It has resurfaced in campaigns targeting Western organizations, including rapid encryption attacks on healthcare.

Ransomware
Type
Unknown
Origin
1 October, 2020
First seen
7 July, 2026
Last seen

How to analyze Pay2Key with ANY.RUN

Type
Unknown
Origin
1 October, 2020
First seen
7 July, 2026
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Banana RAT Evolves: Comparing Two Recent Bran...
watchers 748
comments 0
post image
Release Notes: In-Browser Data Inspection, To...
watchers 7686
comments 0
post image
Closing the Supplier Security Gap: How a US M...
watchers 7042
comments 0

Pay2Key Explained: From Israeli Extortion Campaign to Global Ransomware-as-a-Service Threat

Key Takeaways

  • Pay2Key is a targeted ransomware family that combines encryption with credential theft, lateral movement, and data exfiltration.

  • The malware has been linked by multiple researchers to Iranian threat activity targeting organizations rather than individual users.

  • Attackers commonly gain initial access using compromised VPN accounts, exposed remote services, or stolen enterprise credentials.

  • Enterprise-wide compromise often occurs long before ransomware deployment through reconnaissance and privilege escalation.

  • Strong identity protection, network segmentation, MFA, and tested offline backups significantly reduce ransomware risk.

  • Continuous monitoring for credential abuse and lateral movement can reveal Pay2Key activity before encryption begins.

  • ANY.RUN Threat Intelligence Lookup and Threat Intelligence Feeds help security teams proactively identify Pay2Key infrastructure, detect related indicators of compromise, enrich SIEM and EDR telemetry, and stop attacks during the early stages of intrusion.

threatName:"pay2key"

Pay2Key sample analyses in ANY.RUN Sandbox Pay2Key sample analyses in ANY.RUN Sandbox found via TI Lookup

What is Pay2Key Malware?

Pay2Key is a ransomware family that emerged in late 2020 and quickly gained attention for targeting Israeli organizations and businesses through carefully planned intrusions. Unlike commodity ransomware, Pay2Key operators combined ransomware deployment with credential theft, lateral movement, and data exfiltration, allowing them to maximize operational disruption and extortion pressure. The malware has also been linked by multiple security researchers to Iranian state-sponsored threat activity, making it notable as an example of financially motivated attacks overlapping with geopolitical objectives.

It encrypts files on compromised systems using strong cryptographic algorithms before demanding cryptocurrency payments in exchange for a decryption key.

While its technical capabilities resemble those of many enterprise ransomware families, Pay2Key distinguished itself through its operational approach. Rather than relying solely on automated infections, its operators typically gained privileged access to corporate networks, moved laterally across environments, harvested credentials, and selectively deployed ransomware where it would cause the greatest disruption.

Several cybersecurity vendors have assessed with moderate to high confidence that the Pay2Key campaign was operated by an Iranian threat group commonly tracked as Fox Kitten (UNC757/APT35-associated infrastructure), although the ransomware itself appeared to pursue financial extortion alongside broader strategic objectives.

The malware often formed the final stage of a larger intrusion involving:

  • initial compromise
  • privilege escalation
  • credential theft
  • reconnaissance
  • lateral movement
  • selective encryption
  • ransom negotiations

This multi-stage approach makes Pay2Key significantly more dangerous than opportunistic ransomware that simply encrypts a single endpoint.

View Pay2Key sample analysis in ANY.RUN Sandbox

Pay2Key attack exposed in Interactive Sandbox Pay2Key attack exposed in Interactive Sandbox

How Pay2Key Threatens Businesses and Organizations

Pay2Key's dual identity — cybercriminal RaaS and state-aligned disruption tool — makes it a broader risk than a typical for-profit ransomware family:

  • Operational shutdown. The Linux variant runs with root privileges, disables SELinux and AppArmor, kills competing processes, and selectively encrypts mounted filesystems — directly hitting database servers, application backends, and virtual machine hosts that many businesses cannot operate without.
  • Extortion without the usual playbook. Some recent intrusions showed no data exfiltration at all, a departure from standard double-extortion ransomware. This suggests some attacks aim at disruption and reputational damage rather than a clean financial transaction, making "just pay the ransom" a less reliable path to recovery.
  • Amplified reach through affiliates. The RaaS model, with its unusually high payout share, actively recruits outside operators, increasing the volume and unpredictability of attacks beyond what a single state-run team could carry out.
  • Fast lateral spread. Historical incidents show Pay2Key operators moving from initial foothold to network-wide encryption in about an hour once inside, leaving little time for manual containment.
  • Geopolitical targeting logic. Because affiliates are incentivized to hit "enemies of Iran," organizations in Israel and the U.S. — or with visible ties to either — carry elevated risk independent of their perceived security maturity.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Victimology: Who Is Most at Risk?

Pay2Key's targeting has evolved alongside its operators' goals, but several patterns stand out:

  • Israeli enterprises — the original 2020 campaign concentrated on Israeli corporations, with ClearSky research pointing to defense, energy, insurance, and logistics organizations as primary targets, often used as a cover for intelligence collection alongside the ransomware deployment.
  • U.S. organizations, including healthcare — Pay2Key.I2P's 2025–2026 campaigns explicitly courted affiliates to attack American targets, and a confirmed 2026 intrusion hit a U.S. healthcare provider, a sector where downtime carries life-safety consequences and strong pressure to resolve incidents quickly.
  • Critical infrastructure and government-adjacent sectors — Fox Kitten's broader operational history includes government, defense, telecommunications, oil and gas, and aviation organizations, largely reached through exposed remote-access infrastructure rather than sector-specific phishing.
  • Any organization running exposed Linux servers, virtualization hosts, or cloud workloads — the 2025 Linux encryptor specifically targets the infrastructure layer (databases, app backends, VM hosts) that underpins cloud and hybrid environments, regardless of industry.
  • Organizations with unpatched edge devices — because initial access relies heavily on known VPN and firewall vulnerabilities, any business running Citrix, Pulse Secure/Ivanti, F5 BIG-IP, Fortinet, Palo Alto GlobalProtect, or Check Point gateways without current patches is a candidate victim, independent of size or sector.

The Evolution of Pay2Key and Notable Activity

  • June–October 2020 – Fox Kitten operators register infrastructure and compile the first Pay2Key samples; ransom notes demand relatively modest sums of 7–9 BTC (roughly $110K–$140K at the time).

  • Late 2020 – Wave of attacks against Israeli companies, largely via compromised RDP access following earlier VPN exploitation. Victim data is leaked on a Tor-hosted site, publicly tagging victims and media outlets — behavior researchers characterized as psychological/information warfare rather than pure extortion.

  • 2021–2024 – Fox Kitten continues broad VPN-exploitation campaigns (Pulse Secure, Citrix, F5, Fortinet, Palo Alto) across government, defense, and energy sectors; a 2024 joint CISA/FBI advisory describes the group brokering network access to ransomware crews including NoEscape, RansomHouse, and BlackCat/ALPHV.

  • February 2025 – Relaunch as Pay2Key.I2P on a Russian-language underground forum, offering a flat $20,000 payout per successful attack and, later, an affiliate profit share increased to 80% for attacks supporting Iranian interests.

  • June 2025 – Release of a Linux-compatible encryptor, extending the malware from endpoints to servers, virtualization platforms, and cloud infrastructure.

  • Mid-2025 – Operators claim over 50 successful ransom payments and more than $4 million collected in four months, with individual affiliates reportedly earning up to $100,000.

  • Late 2025 – Pay2Key's operation is listed for sale on dark web forums and the group's own account; the sale process concludes without clear public resolution.

  • February 2026 – Confirmed intrusion at a U.S. healthcare organization, analyzed jointly by Beazley Security and Halcyon, showing a more evasive, forensically aware variant with no observed data exfiltration — a break from the group's earlier double-extortion pattern.

How Pay2Key Gets Into Systems and Spreads

Consistent with Fox Kitten's long-standing tradecraft, Pay2Key rarely relies on phishing as its primary entry point. Instead:

  • 1. Initial access via public-facing infrastructure. Operators scan the internet — reportedly using Shodan — for unpatched, internet-facing VPN and networking appliances, historically including Citrix NetScaler/ADC (CVE-2019-19781, CVE-2023-3519), Pulse Secure/Ivanti Connect Secure (CVE-2019-11510, CVE-2024-21887), F5 BIG-IP (CVE-2020-5902, CVE-2022-1388), Fortinet FortiOS (CVE-2018-13379), Palo Alto GlobalProtect (CVE-2024-3400), and Check Point Security Gateways (CVE-2024-24919).

  • 2. Credential and webshell foothold. After exploitation, operators plant webshells, harvest credentials, and create discreetly named local or domain accounts (e.g., disguised as service accounts) to blend into legitimate administrative activity.

  • 3. Internal pivoting. Exposed or brute-forced RDP is used as a secondary access route and as the primary mechanism for moving laterally across the network once inside.

  • 4. Command-and-control and tunneling. The group routes traffic through reverse proxy tools such as FRPC and ReverseSocks5 to funnel activity through a single internet-connected pivot host, minimizing its external footprint; the newer Pay2Key.I2P infrastructure adds I2P-based anonymized C2 to the mix.

  • 5. Rapid deployment. Once positioned, operators have historically distributed the ransomware payload across an entire compromised network within about an hour, using native tools like PsExec and PowerShell rather than custom deployment infrastructure — which helps the activity blend into normal admin traffic until encryption begins.

How Pay2Key Malware Functions

Upon execution (often as Cobalt.Client.exe), it reads a config file, generates RSA keys, and communicates with C2 (via proxy). It receives a dynamic configuration (target extensions, ransom note customized per victim, .pay2key or similar extension).

The malware discovers systems, stops interfering services (e.g., MS SQL), encrypts files (full/partial modes in Linux with ChaCha20; RSA+AES in Windows), and drops customized ransom notes. It includes self-cleanup, persistence mechanisms, and system info gathering. Linux builds require root, disable protections, and target mounts/backups.

View the attack chain in ANY.RUN Interactive Sandbox:

Pay2Key detonated in Interactive Sandbox Pay2Key sample detonated in Interactive Sandbox

Pay2Key ransomware extracts several component files into the temporary directory, including data.bin and a command script named setup.cmd, which is later executed by Command Prompt.

Pay2Key components and scripts

Pay2Key components and scripts Pay2Key components and processes

The setup.cmd script contains the following logic:

The script first determines whether the system is running under WOW64 and launches the appropriate PowerShell executable. It then removes previously extracted files, checks for the presence of additional payload components, and extracts multiple password-protected archives using 7za.exe. During execution, it reconstructs the 7-Zip executable from an embedded payload and uses it to unpack the remaining components.

If data2.bin is present, the script extracts files into the Avast installation directory (C:\Program Files\Avast Software\Avast) and executes additional utilities from there.

Malicious script behavior Malicious script behavior

If data4.bin exists, it extracts and executes task.ps1, which performs additional malicious actions. The script then extracts data3.bin and launches sfx-i386-amd64.exe, waiting for its execution to complete before continuing.

The PowerShell code embedded in the script also contains a custom XOR-based decoding routine used to decrypt embedded payloads stored in files such as data.bin, data1.bin, and data5.bin. The decoded payloads are executed directly in memory, while data1.bin is decoded and written to disk as 7za.exe.

Pay2Key decoded payload Pay2Key decoded payload

After extracting and launching all required components, the ransomware executes Everything.exe, which is used to rapidly enumerate files across the system before encryption.

Pay2Key mutex Pay2Key mutex

Before encrypting files, the malware performs several defense evasion actions. It suspends BitLocker protection using:

powershell.exe -ExecutionPolicy Bypass "Get-BitLockerVolume | Suspend-BitLocker"

It also disables hibernation using:

powercfg.exe -H off

Additionally, the ransomware uses delayed execution through the following command:

Pay2Key delayed execution command Pay2Key delayed execution command

This introduces a short delay before disabling security software and removing the extracted Avast directory.

Finally, the ransomware encrypts victim files by appending the .randomchars_p2key extension and drops the ransom note as:

C:\temp\HowToRestoreFiles.txt

Pay2Key ransom note Pay2Key ransom note

…instead of placing it in the standard Windows temporary directory.

How Businesses Can Use ANY.RUN’s Threat Intelligence Solutions Against Pay2Key

Because Pay2Key's initial access almost always runs through exploited edge infrastructure rather than user-clicked payloads, defense has to start before the encryptor ever executes — and that means having visibility into the exploitation and staging activity, not just the ransomware binary.

ANY.RUN's Threat Intelligence Lookup gives SOC and DFIR teams a way to move from an isolated indicator to full attack context in seconds. If your team spots a suspicious IP, file hash, mutex, or command line potentially tied to Fox Kitten or Pay2Key activity, TI Lookup lets you search across dozens of event parameters — file paths, registry keys, network indicators, YARA rules — and pivot directly into the underlying interactive sandbox sessions where those indicators appeared.

That's especially valuable for a threat actor like Fox Kitten, whose tooling (webshells, proxy utilities, PsExec-based lateral movement) is often reused across intrusions; a single confirmed indicator can surface related infrastructure and TTPs from other victims' sessions before your own incident escalates.

ANY.RUN's Threat Intelligence Feeds take the opposite but complementary approach: instead of searching reactively, they push a continuously updated stream of malicious IPs, domains, and URLs — sourced from millions of real-world sandbox detonations — directly into your SIEM, firewall, or SOAR. For a group that rotates C2 infrastructure and proxy pivots as often as Fox Kitten does, fresh, low-false-positive feeds help block newly stood-up infrastructure before it's used against you, rather than relying solely on signatures for the ransomware binary itself.

Used together, TI Feeds shrink the window of exposure to known-bad infrastructure automatically, while TI Lookup gives analysts the investigative depth to confirm, scope, and hunt for related activity once something suspicious surfaces.

Beyond threat intelligence, organizations should treat these as baseline controls against Pay2Key specifically:

  • Patch edge devices on an accelerated cycle. Citrix, Ivanti/Pulse Secure, F5, Fortinet, Palo Alto, and Check Point appliances are Fox Kitten's primary entry point — patch lag is the vulnerability the group is actually exploiting.
  • Restrict and monitor RDP. Disable direct internet exposure of RDP, enforce MFA on remote access, and alert on anomalous RDP session patterns.
  • Harden Linux hosts. Enforce SELinux/AppArmor in enforcing mode where possible, monitor for unauthorized changes to their state, and audit cron jobs regularly for unexpected entries.
  • Segment critical infrastructure. Isolate database servers, virtualization hosts, and backup systems from general user network segments to limit the blast radius of a compromised foothold.
  • Maintain tested, offline backups. Given evidence that some Pay2Key intrusions skip data theft and go straight to disruption, backup integrity and recovery speed matter as much as prevention.
  • Detonate suspicious samples in an interactive sandbox before trusting artifacts recovered from incident response, to confirm behavior and extract fresh IOCs for the rest of the environment.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Pay2Key demonstrates that modern ransomware attacks are rarely isolated encryption events. Instead, they are the culmination of carefully orchestrated intrusions involving stolen credentials, reconnaissance, lateral movement, and data theft.

Although Pay2Key itself has remained relatively limited in scale compared to larger ransomware families, the tactics employed by its operators mirror those used by today's most sophisticated ransomware groups. Organizations that focus only on detecting file encryption risk missing the earlier stages where attackers are far easier to stop.

By combining proactive threat intelligence, continuous monitoring, strong identity security, and layered defenses, businesses can identify Pay2Key-related activity before it escalates into a costly ransomware incident.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.

HAVE A LOOK AT

DarkComet screenshot
DarkComet
darkcomet rat darkcomet rat
DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.
Read More
DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More