Skip to content
Tech News
← Back to articles

Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations

2026-03-31 | original
read original get Cybersecurity USB Drive → more articles
Why This Matters

Iran's revival of the Pay2Key ransomware operation and its collaboration with Russian cybercriminals highlight a strategic shift towards using cybercrime as a tool for geopolitical influence and disruption. The deployment of pseudo-ransomware and acting as an initial access broker complicates attribution and increases risks for targeted organizations, emphasizing the blurred lines between state-sponsored and criminal activities. These developments underscore the growing importance for organizations to enhance cybersecurity measures and compliance protocols to mitigate sophisticated, state-backed cyber threats.

Key Takeaways

Iran is recruiting Russian cybercriminals and engaging in other creative partnerships that blur the lines between state and criminal cyber activities to advance its geopolitical objectives in its ongoing war with the US and Israel.

As part of these activities, Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week. Iran is using Pay2Key "as a punitive arm of the Iranian state," to attack "high-impact US targets," according to the report.

This strategy includes deploying "pseudo-ransomware" attacks and acting as an initial access broker (IAB) for ransomware groups to target US entities for cyber disruption and financial gain. KELA researchers explained that pseudo ransomware attacks use encryption but are actually destructive activities typical of wiper malware.

Related:China Upgrades the Backdoor It Uses to Spy on Telcos Globally

These recent moves are part of a larger strategy by Iran to weaponize cybercrime techniques and recruit criminal hackers to gain an advantage in the current war that began with the joint US-Israel attack on Iran on Feb. 28, according to KELA. These activities — and how they blur the lines between state and criminal activity — pose a unique threat to organizations by not only causing business disruption, but also by causing an "attribution nightmare" that a poses significant legal and operational risk, according to KELA

"If a company falls victim to a successful ransomware or extortion event, identifying the true threat actor is no longer just an IT problem — it is a critical compliance issue," according to the report. Indeed, victims risk sanctions violations and severe legal and financial penalties if ransom payments inadvertently go to state-linked entities, such as those under sanctions by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).

Old and New Cyberwarfare Strategies

The resurgence in Pay2Key activity is similar to what happened last July in the wake of the June's 12-day conflict against Iran last year, in which the US and Israel targeted and destroyed Iran nuclear facilities. At that time, Pay2Key re-emerged to target Western organizations and offer higher payouts for attacks that meet Iran's geopolitical goals.

Iran is engaged in similar profit-sharing now with Pay2Key affiliates that they recruit online, increasing the affiliate's cut from 70% to 80% if they successfully execute attacks against designated "enemies" of Iran — that is, the US and Israel.

Related:Infrastructure Attacks With Physical Consequences Down 25%

... continue reading

Explore topics: pay2key iran pseudo-ransomware kela cybercriminals
Related:
Iranian Hackers Said to Escalate Attacks on US Critical Infrastructure
Pro-Iran Hackers Target Critical U.S. Energy and Water Infrastructure
US and Iran agree to provisional ceasefire
Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure
Iranian hackers are targeting American critical infrastructure, U.S. agencies warn

© 2026 GoKawiil

About | Editorial Policy | Contact