Search

Iran-Linked Pay2Key Ransomware Gang Targeted U.S. Healthcare Organization Amid Military Conflict

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

CISO Whisperer/TVC Analyst Official Sales Leaders Rankings

The cybersecurity industry continues to experience one of the...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Maryland

Maryland’s cybersecurity leadership bench is shaped by a distinctive...
Read more
Cyber threats and incidents

BuddyBoss Platform Compromised as Hundreds of Websites Are Hacked

What happened BuddyBoss platform compromised as hundreds of websites were...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in New Jersey

New Jersey’s cybersecurity leadership bench reflects the state’s unusual...
Read more
Cyber threats and incidents

QualDerm Data Breach Exposes Information of 3.1 Million People Across 17 States

What happened A QualDerm data breach exposed information of 3.1...
Read more

Share

What happened

An Iran-linked Pay2Key ransomware gang targeted a U.S. healthcare organization in late February amid military conflict involving the United States and Iran. Incident responders at Beazley Security helped the unnamed healthcare organization respond to the attack, while the Halcyon Ransomware Research Center assisted in the investigation. According to the report, the attackers compromised an administrative account on the victim’s network several days before deploying the ransomware and encrypting the environment. Investigators also found that the hackers sought to clear traces of their activity and event logs after encryption. The report said there was no evidence that data was exfiltrated during the intrusion. Halcyon also found improvements in the ransomware that made it harder to detect and more damaging. 

Who is affected

The direct victim was an unnamed U.S. healthcare organization. The report also states that Pay2Key has targeted organizations in the United States, Israel, Azerbaijan, and the United Arab Emirates, making the exposure broader than a single sector or geography. 

Why CISOs should care

The incident is relevant because it involved ransomware deployment inside a healthcare environment after compromise of an administrative account, followed by efforts to erase traces of attacker activity. The report also said Pay2Key activity increased following the recent military conflict between the United States and Iran. 

3 practical actions:

  1. Review privileged account exposure: Determine whether any administrative accounts show signs of unauthorized access or misuse consistent with the intrusion sequence described in the incident. 
  2. Preserve and verify logging coverage: Confirm that logging, retention, and recovery controls can withstand attempts to clear event logs and erase evidence after ransomware deployment. 
  3. Scope for encryption without theft: Treat incidents involving Pay2Key as potentially destructive even where there is no evidence of data exfiltration, and align response scoping accordingly. 

For more coverage of ransomware campaigns and extortion-driven attacks, explore our reporting under the Ransomware tag.

Previous article
UK Cyber Agency Warns Vibe Coding Could Reshape SaaS Industry and Add Security Risks
Next article
Female Cybersecurity Leaders to Watch in Tennessee
Founders, Analysts & Industry Voices

CISO Whisperer/TVC Analyst Official Sales Leaders Rankings

The cybersecurity industry continues to experience one of the...
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Maryland

Maryland’s cybersecurity leadership bench is shaped by a distinctive...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.