 [Rob Wright](/author/robert-wright), Senior News Director, Dark ReadingJuly 11, 2025 3 Min Read  Source: Tomas Nevesely via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel&title=Pay2Key%20Ransomware%20Gang%20Resurfaces%20With%20Incentives%20to%20Attack%20US%2C%20Israel)[](mailto:?subject=Pay2Key Ransomware Gang Resurfaces With Incentives to Attack US, Israel&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Pay2Key%20Ransomware%20Gang%20Resurfaces%20With%20Incentives%20to%20Attack%20US%2C%20Israel%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fpay2key-ransomware-gang-incentives-attack-us-israel) Changes are afoot at Pay2Key, a ransomware-as-a-service (RaaS) gang with ties to a notorious Iranian nation-state threat group, and it could spell trouble for the US.Pay2Key was [first observed in 2020](https://www.darkreading.com/cyberattacks-data-breaches/-pay2key-could-become-next-big-ransomware-threat), and while it has been one of the lesser-known RaaS gangs, it achieved some notoriety for hack-and-leak attacks on Israeli organizations. Over the years, cybersecurity vendors and US authorities alike have tied the gang to [Fox Kitten](https://www.darkreading.com/threat-intelligence/irans-fox-kitten-group-aids-ransomware-attacks-on-us-targets), an Iranian state-sponsored threat group also known as UNC757.Now, researchers at Morphisec say Pay2Key has re-emerged with a new approach: targeting Western organizations and offering higher payouts for attacks that meet the gang’s geopolitical goals in the wake of Israel-Iran-US conflict. According to a [new report](https://engage.morphisec.com/hubfs/Pay2Key_Iranian_Cyber_Warfare_Targets_the_West_Whitepaper.pdf) from Morphisec Labs researchers, the gang has raised its affiliate profit-sharing from 70% to 80% for attacks against ‘the enemies of Iran.’ ‘Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare,’ the researchers wrote. ‘The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems.’ Pay2Key Ransomware Affiliate Payouts Increased———————————————-The RaaS gang re-emerged this year with a new version, Pay2Ket.I2P, that has rapidly expanded across the threat landscape, according to Morphisec. The name is a reference to the Invisible Internet Project, or I2P, which is similar to the Tor Network. A SonicWall blog post last month highlighted Pay2Key as the [first ransomware group to use I2P](https://www.sonicwall.com/blog/pay2key-first-ransomware-utilizing-i2p-network-instead-of-tor) instead of Tor for its ransom portal and victim communications. Related:[Factoring Cybersecurity Into Finance’s Digital Strategy](/cyberattacks-data-breaches/factoring-cybersecurity-finances-digital-strategy)More importantly, the group conducted a marketing blitz across Russian and Chinese Dark Web forums and cybercrime marketplaces in February. Morphisec researchers said the rollout of the new variant, along with a coordinated branding campaign, indicate Pay2Key operators had a multistage launch strategy that was planned in advance.’With over 51 successful ransom payouts in four months, the group’s effectiveness is undeniable,’ the researchers wrote, adding that Pay2Key had obtained more than $4 million total in ransoms during that stretch.According to communications between a Pay2Key threat actor and the Morphisec Labs research team, the gang is willing to offer affiliates 80% of a paid ransom for attacks ‘primarily -[against-] Israel and the United States.’ The threat actor told the researchers that Pay2Key provides affiliates with enough anonymity so that they and the gang’s operators can conduct cyberattacks while avoiding breaking the ceasefire between Iran and the two nations. Related:[4 Arrested in UK Over M-&S, Co-op, Harrods Hacks](/cyberattacks-data-breaches/4-arrested-uk-marks-spencer-co-op-harrods-hacks)It’s unclear how much of an incentive the 80% profit-sharing will be for potential affiliates, as several other ransomware gangs have gone to that level and even higher in recent years. In 2022, the Multi-State Information Sharing and Analysis Center (MS-ISAC) noted that the now-defunct BlackCat ransomware gang offered affiliates [between 80% and 90% of paid ransoms](https://www.cisecurity.org/insights/blog/breaking-down-the-blackcat-ransomware-operation).More recently, groups like [DragonForce and Anubis](https://www.darkreading.com/data-privacy/ransomware-gangs-innovate-new-affiliate-models) have been observed offering 80% profit-sharing as well. Still, Morphisec researchers warned that the group is committed to causing damage to Iran’s enemies, as evidenced by the relaunch of the operations and the introduction of a new version of the ransomware, complete with a build for Linux systems.’Personal communications reveal a group driven by ideology, rewriting their tools to maximize impact,’ the researchers wrote. ‘As geopolitical tensions fuel such threats, proactive defense is essential.’ Morphisec’s report included indicators of compromise (IoCs), including signatures for the Pay2Key.I2P payload and the command-and-control domain (C2). The researchers warned that the initial executable contains an obfuscated PowerShell script that creates an exclusion in Windows Defender for all ‘.exe’ files. This creates a ‘blind spot’ — without triggering Windows Defender’s anti-tampering defenses — that provides cover for additional payload stages in the infection chain.Related:[North American APT Uses Exchange Zero-Day to Attack China](/cyberattacks-data-breaches/north-american-apt-exchange-zero-day-attacks-china) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/pay2key-ransomware-gang-incentives-attack-us-israel&title=Pay2Key%20Ransomware%20Gang%20Resurfaces%20With%20Incentives%20to%20Attack%20US%2C%20Israel)[](mailto:?subject=Pay2Key Ransomware Gang Resurfaces With Incentives to Attack US, Israel&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Pay2Key%20Ransomware%20Gang%20Resurfaces%20With%20Incentives%20to%20Attack%20US%2C%20Israel%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fpay2key-ransomware-gang-incentives-attack-us-israel) About the Author—————- [Rob Wright](/author/robert-wright) Senior News Director, Dark Reading Rob Wright is a longtime reporter and senior news director for Informa TechTarget’s security team. He is based in the Boston area. [See more from Rob Wright](/author/robert-wright) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa3135&ch=drwebbutton) More Insights Webinars* [New Research: Machine Learning Classifiers Don’t Need Negative Labels](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8737&ch=SBX&cid=_upcoming_webinars_8.500001573&_mc=_upcoming_webinars_8.500001573)Jul 16, 2025* [Best Practices for Cloud Detection and Response: Real-World Lessons from Multi-Cloud Attacks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo339&ch=SBX&cid=_upcoming_webinars_8.500001579&_mc=_upcoming_webinars_8.500001579)Jul 17, 2025* [Think Like a Cybercriminal to Stop the Next Potential Attack](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cmdc03&ch=SBX&cid=_upcoming_webinars_8.500001572&_mc=_upcoming_webinars_8.500001572)Jul 22, 2025* [Elevating Database Security: Harnessing Data Threat Analytics and Security Posture](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr156&ch=SBX&cid=_upcoming_webinars_8.500001574&_mc=_upcoming_webinars_8.500001574)Jul 23, 2025* [The DOGE-effect on Cyber: What’s happened and what’s next?](https://www.brighttalk.com/webcast/18975/628444?utm_source=brighttalk-darkreading&utm_medium=web&utm_campaign=curation04242025&cid=_upcoming_webinars_8.500001554&_mc=_upcoming_webinars_8.500001554)Jul 24, 2025[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] Strategic Security for the Modern Enterprise](https://ve.informaengage.com/virtual-events/strategic-security-for-the-modern-enterprise/?ch=sbx&cid=_session_16.500334&_mc=_session_16.500334)Jun 26, 2025* [-[Virtual Event-] Anatomy of a Data Breach](https://ve.informaengage.com/virtual-events/an-anatomy-of-a-data-breach-and-what-to-do-if-it-happens-to-you/?ch=sbx&cid=_session_16.500333&_mc=_session_16.500333)Jun 18, 2025* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events) You May Also Like*** ** * ** ***[Cyberattacks -& Data BreachesOracle Appears to Admit Breach of 2 ‘Obsolete’ Servers](https://www.darkreading.com/cyberattacks-data-breaches/oracle-breach-2-obsolete-servers) [Cyberattacks -& Data BreachesMalaysian Airport’s Cyber Disruption a Warning for Asia](https://www.darkreading.com/cyberattacks-data-breaches/malaysian-airport-cyber-disruption-warning-asia) [Cyberattacks -& Data BreachesSecurity Expert Troy Hunt Lured in by Mailchimp Phish](https://www.darkreading.com/cyberattacks-data-breaches/security-expert-troy-hunt-lured-mailchimp-phish) [Cyberattacks -& Data Breaches300K Victims’ Data Compromised in Avis Car Rental Breach](https://www.darkreading.com/cyberattacks-data-breaches/300k-victims-data-compromised-avis-car-rental-breach)
Related Tags:
Lemon Sandstorm
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 927 – Space Research And Technology
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
Pay2Key
Associated Indicators: