Iran Revives Pay2Key Operations With ‘Pseudo-Ransomware’ Tactics Against U.S. Targets

What happened

Iran has revived Pay2Key operations and is using what researchers describe as “pseudo-ransomware” tactics to target high-impact U.S. organizations. According to KELA’s Cyber Intelligence Center, Iran is recruiting affiliates from Russian cybercriminal forums and using Pay2Key as a punitive arm of the Iranian state against U.S. and Israeli targets. The report says the strategy includes both profit-sharing with recruited affiliates and destructive attacks disguised as ransomware. In these operations, encryption is used not primarily for financial extortion but to mask destructive activity more typical of wiper malware. KELA also said Iran is acting as an initial access broker for ransomware groups and is deliberately blending state-backed operations with criminal cyber techniques as part of its current conflict posture. 

Who is affected

The direct exposure is potential and centers on high-impact U.S. organizations identified as targets of Iran’s renewed Pay2Key activity. The report also says Israeli entities remain in scope, while the broader risk extends to organizations that could face destructive attacks, extortion pressure, or follow-on ransomware operations tied to Iran-linked actors. 

Why CISOs should care

This matters because the campaign blurs the line between state-backed cyber operations and financially motivated ransomware activity. KELA said that creates legal, operational, and compliance risk for victims, particularly where ransom payments could reach sanctioned entities. The use of destructive activity disguised as ransomware also complicates incident response by obscuring whether an attack is driven by profit, sabotage, or geopolitical retaliation. 

3 practical actions

1. Treat ransomware attribution as a compliance issue: Incorporate sanctions and legal review into ransomware response planning, since KELA said victims risk penalties if payments ultimately go to state-linked sanctioned entities. 
2. Plan for destructive attacks disguised as extortion: Ensure incident response teams can handle cases where encryption may be masking sabotage or wiper-style objectives rather than a standard financially motivated ransomware event. 
3. Harden resilience around edge access and segmentation: Prioritize phishing-resistant MFA, edge-device patching, offline backups, incident response readiness, and stronger separation between IT and OT systems, which KELA identified as key defensive measures. 

For more news about ransomware operations tied to extortion and destructive activity, click Ransomware to read more.