Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals

on

 

Iranian‑Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals

In 2025, a notorious ransomware campaign with roots stretching back to late 2020 has resurfaced with renewed vigor — this time blending state‑aligned cyber war objectives with global cybercrime economics. The malware, Pay2Key, has reemerged under the new branding Pay2Key.I2P, offering an unusually lucrative 80% profit share to affiliates willing to deploy the ransomware against organizations perceived as adversarial to Iranian interests, particularly those in the United States and Israel. NetmanageIT CTO Corner+1

What distinguishes this latest iteration is not only its aggressive profit incentive, but also its blend of ideology and profit motive, its use of anonymizing networks, and its association with advanced persistent threat (APT) infrastructure — factors that together reflect the increasing convergence of state‑aligned cyber warfare and organized cybercrime. versprite.com

Pay2Key’s Evolution: From Cybercrime Tool to Geopolitical Weapon

Originally identified in 2020, Pay2Key first gained attention as part of a campaign targeting Israeli companies using a variety of ransomware tactics, data theft, and extortion. Analysts have long connected the original Pay2Key activity to Iran‑linked threat actors, notably the group tracked as Fox Kitten (aka Pioneer Kitten or Lemon Sandstorm). The Register

For several years thereafter, Pay2Key was relatively dormant until early 2025, when cybersecurity researchers observed it reemerging with substantial enhancements. The modern version — Pay2Key.I2P — differs from many criminal ransomware operations in several important ways: it is hosted on the Invisible Internet Project (I2P) anonymizing network rather than traditional Tor services, it integrates portions of the Mimic ransomware family, and it directly appeals to cybercriminal affiliates to target Western nations’ organizations in support of Iran’s geopolitical objectives. TechNews 科技新報

According to threat intelligence researchers, Pay2Key.I2P surfaced publicly in February 2025 and has since claimed more than 51 successful ransom campaigns, netting over $4 million in payments within its first four months of operation. Individual affiliates have reportedly earned roughly $100,000 each during this period, underscoring the profitability of the scheme. NetmanageIT CTO Corner

The 80% Profit‑Share Model: Incentivizing Attacks

Most ransomware‑as‑a‑service (RaaS) operations use a profit‑sharing model where affiliates deploying the malware receive a portion of any ransom payment, with the malware developers retaining the rest. Historically, profit shares might be around 60–70% for affiliates. Akamai

Pay2Key.I2P’s model is different: it offers affiliates an 80% share of ransom proceeds, up from the approximately 70% previously attributed to Pay2Key campaigns. The explicit incentive structure is reportedly contingent on targeting entities considered adversaries of Iran, particularly in Israel and the U.S., signaling an ideological element layered atop criminal incentives. NetmanageIT CTO Corner

In a darknet forum post from February 20, 2025, an account named “Isreactive” advertised the ransomware binary to would‑be affiliates, charging $20,000 per successful deployment and reinforcing the more permissive and lucrative payout framework. This marked a departure from conventional RaaS models, allowing developers to capture most of the economic upside while still heavily rewarding affiliates who generate successful extortion events. TechNews 科技新報

This strategy highlights how ransomware operations are evolving beyond strictly commercial crime into hybrid economic‑ideological campaigns, where cyberattacks serve both profit and partisan geopolitical aims.

Technical Sophistication and Operational Features

I2P‑Hosted Infrastructure

One of the most unusual features of Pay2Key.I2P is its use of the Invisible Internet Project (I2P) to host its RaaS infrastructure. While many ransomware groups use Tor to anonymize communication and leak sites, Pay2Key.I2P is the first known group to host its entire ransomware‑as‑a‑service platform on an anonymized network layer like I2P. TechNews 科技新報

Hosting on I2P provides additional obfuscation for both affiliates and developers, complicating law enforcement efforts to trace or take down the infrastructure. This contrasts with more typical RaaS leak sites hosted via Tor hidden services or on clear‑web infrastructure protected by Cloudflare.

Collaborative Code Base with Mimic Ransomware

Pay2Key.I2P appears to incorporate capabilities or components from the Mimic ransomware family, a well‑known strain that itself has roots in leaked code from the Conti ecosystem. Linking or sharing code across ransomware families demonstrates the modular and collaborative nature of modern cybercrime, where high‑value features like obfuscation, encryption algorithms, and payload execution routines are reused and repurposed. Security Affairs

Evasion and Anti‑Analysis Techniques

The campaign includes multiple technical measures designed to evade detection and frustrate defensive controls. These include:

  • Dual CMD/PowerShell scripts within self‑extracting 7‑Zip archives to launch the ransomware quietly.

  • Security tool disablement, such as turning off Microsoft Defender and adding exclusions, to blunt endpoint protection.

  • Artifact deletion to reduce forensic evidence left behind after execution.

  • Obfuscation and anti‑analysis checks to trip sandbox detonations or thwart dynamic analysis systems. versprite.com

In June 2025, the group also introduced Linux‑compatible ransomware builds, expanding its potential victim base beyond Windows environments and allowing it to target more diverse server and enterprise systems. versprite.com

Geopolitical Context: Cyber Warfare Meets Cybercrime

The timing of Pay2Key.I2P’s resurgence is not coincidental. It emerged amid heightened tensions involving Iran, Israel, and the United States, particularly after military engagements that escalated regional friction early in 2025. Analysts have noted that several Iranian‑linked cyber threat groups, such as MuddyWater, APT33, OilRig, Cyber Av3ngers, and Homeland Justice, have been observed targeting U.S. industrial and critical infrastructure entities during this period — and Pay2Key.I2P’s activity fits within this broader trend of ideologically infused operations. TechNews 科技新報

Morphisec’s researchers warn that Pay2Key.I2P embodies a dangerous convergence of Iranian‑aligned cyber warfare and global cybercrime, where the malware’s profitability and ideological narratives reinforce each other to escalate attacks on Western organizations. versprite.com

This hybridization complicates defensive postures: organizations must defend not only against financially motivated cybercriminal campaigns but also against attacks driven by geopolitical agendas. The blurred line between state‑linked activity and criminal outsourcing means that attribution, legal response, and mitigation strategies become far more complex.

Tactics, Techniques, and Procedures (TTPs) in Use

Initial Access Vector

The ransomware has often been deployed following phishing campaigns, exploitation of internet‑facing vulnerabilities, or leveraging of compromised credentials — typical entry points used by many RaaS affiliates. However, the involvement of sophisticated scripts to disable defenses and deploy payloads suggests that affiliates may be provided turnkey attack workflows, reducing the skill barrier for deployment. versprite.com

Encryption and Extortion Workflow

Once executed, Pay2Key.I2P encrypts victim files and appends ransom notes demanding payment in cryptocurrencies such as Monero or Bitcoin. The use of anonymized payment channels and the I2P network adds extra operational complexity for defenders trying to trace transactions or link wallets to real‑world actors. versprite.com

Affiliate Support and Tools

Pay2Key.I2P operators have built an affiliate support ecosystem, complete with recruitment posts, referral systems, and dashboards showing profitability and payouts — all designed to attract and retain operators who can deploy the ransomware effectively. These features resemble legitimate SaaS offerings, albeit for criminal purposes. versprite.com

Impact and Threat Landscape

Though precise victim lists are limited due to privacy and confidentiality concerns, cybersecurity intelligence indicates that Pay2Key.I2P has successfully extracted ransom payments from more than 50 victims across sectors in its first months of operation, accumulating over $4 million — a significant figure given the short period of activity. NetmanageIT CTO Corner

This level of operational success in just four months reflects both the enduring profitability of ransomware and the significant demand for ransomware tools that combine ideological incentives with lucrative financial arrangements.

Security experts warn that Pay2Key.I2P’s profit incentive structure could attract a broader pool of affiliates — including less sophisticated operators who are now empowered to deploy advanced ransomware with minimal entry barriers. This expanded attack surface could put a wider range of organizations at risk, from small businesses to critical infrastructure operators.

Defensive Measures and Mitigation Strategies

In the face of such evolving ransomware threats, experts recommend that organizations adopt multi‑layered defense strategies:

1. Implement Zero‑Trust and Endpoint Protection

Modern security approaches emphasize zero‑trust principles, strong endpoint detection and response (EDR) tools, and proactive security controls that can detect malicious script execution and ransomware staging. versprite.com

2. Patch and Harden Systems

Regularly updating systems and applications to mitigate known vulnerabilities reduces the available attack surface that ransomware affiliates may exploit.

3. Backups and Disaster Recovery

Strong, immutably stored backups can negate the leverage ransomware operators have over victims by ensuring data can be restored without paying extortion demands.

4. Network Segmentation and Access Controls

Segmenting critical systems and enforcing strict access controls can slow or prevent ransomware from spreading across an organization’s network.

5. Threat Intelligence Sharing

Sharing indicators of compromise (IOCs) and TTPs across industries and with government agencies enhances collective defense and increases the speed at which threats are identified and mitigated.

Conclusion: A New Era of Hybrid Cyber Threats

The resurgence of Pay2Key as Pay2Key.I2P, with its 80% profit share and geopolitical targeting incentives, underscores a deeper shift in how ransomware operations are evolving in 2025. No longer purely financially driven, some of the most dangerous ransomware campaigns now marry state‑aligned cyber operations with criminal economies, creating hybrid threats that are harder to anticipate, attribute, and mitigate.

As global tensions persist and cybercriminal markets evolve, organizations must recognize that ransomware is not just a profit‑motive problem but can also serve as a tool of geopolitical conflict and cyber warfare. Defenders must adapt, leveraging a combination of technology, policy, collaboration, and resilience planning to stay ahead of these multifaceted threats. versprite.com

Comments

Post a Comment