Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations

THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS ICS/OT SECURITY NEWS Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations Iranian APTs are blurring the lines between state-sponsored and cybercriminal activities to target high-impact US organizations. Elizabeth Montalbano,Contributing Writer March 31, 2026 4 Min Read SOURCE: MUHAMMAD TOQUEER VIA SHUTTERSTOCK Iran is recruiting Russian cybercriminals and engaging in other creative partnerships that blur the lines between state and criminal cyber activities to advance its geopolitical objectives in its ongoing war with the US and Israel.  As part of these activities, Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA's Cyber Intelligence Center published this week. Iran is using Pay2Key "as a punitive arm of the Iranian state," to attack "high-impact US targets," according to the report. This strategy includes deploying "pseudo-ransomware" attacks and acting as an initial access broker (IAB) for ransomware groups to target US entities for cyber disruption and financial gain. KELA researchers explained that pseudo ransomware attacks use encryption but are actually destructive activities typical of wiper malware. Related:China Upgrades the Backdoor It Uses to Spy on Telcos Globally These recent moves are part of a larger strategy by Iran to weaponize cybercrime techniques and recruit criminal hackers to gain an advantage in the current war that began with the joint US-Israel attack on Iran on Feb. 28, according to KELA. These activities — and how they blur the lines between state and criminal activity — pose a unique threat to organizations by not only causing business disruption, but also by causing an "attribution nightmare" that poses a significant legal and operational risk, according to KELA. "If a company falls victim to a successful ransomware or extortion event, identifying the true threat actor is no longer just an IT problem — it is a critical compliance issue," according to the report. Indeed, victims risk sanctions violations and severe legal and financial penalties if ransom payments inadvertently go to state-linked entities, such as those under sanctions by the US Treasury’s Office of Foreign Assets Control (OFAC). Old and New Cyberwarfare Strategies The resurgence in Pay2Key activity is similar to what happened last July in the wake of the June's 12-day conflict against Iran last year, in which the US and Israel targeted and destroyed Iran nuclear facilities. At that time, Pay2Key re-emerged to target Western organizations and offer higher payouts for attacks that meet Iran's geopolitical goals. Iran is engaged in similar profit-sharing now with Pay2Key affiliates that they recruit online, increasing the affiliate's cut from 70% to 80% if they successfully execute attacks against designated "enemies" of Iran — that is, the US and Israel.  Related:Infrastructure Attacks With Physical Consequences Down 25% "This bounty system perfectly illustrates the hybrid threat: Iran is effectively outsourcing geopolitical retribution to the global cybercrime talent pool, creating a powerful, scalable force multiplier for its state operations," the KELA report stated. At the same time, Iran has a new cyber trick in the form of destructive smokescreens that leverage ransomware-style encryption to disguise data destruction, sabotage, or political retribution. In these attacks, the Iran-backed APT Agrius is using the Apostle malware, which has been retrofitted from its original data wiper form to function as a ransomware variant. "Wrapping destructive wipers in the guise of financial extortion allows actors to obscure their geopolitical motives and complicate incident response," according to KELA. Blurred Offensive Lines Demand New Defense KELA researchers said the ongoing conflict has "fundamentally shifted the threat landscape" and led to Iran's deliberate blurring of lines between state-sponsored cyber warfare and opportunistic cybercrime. Indeed, Iran has stepped up its cyber offensive considerably since the war began, an arena where it has more of an advantage over its adversaries than the physical battle space. "The same state apparatus that sponsors purely destructive or hacktivist campaigns is deeply intertwined with the cybercriminal underground," according to the report. Related:SANS: Top 5 Most Dangerous New Attack Techniques to Watch This paradigm shift also signals a change for defenders, which now must account for financial, operational, and geopolitical risk simultaneously by implementing foundational resilience measures alongside proactive controls, KELA said in the report. Recommended defensive actions including some common measures such as patching and monitoring edge devices, implementing phishing-resistant MFA, and maintaining offline backups and incident response readiness. Organizations also should segment IT and operational technology (OT) systems as well as harden access controls to defend against an increasing complex threat from Iranian-backed actors. Maintaining threat-intelligence monitoring also can significantly improve an organization's visibility into adversary infrastructure and compromised credential markets, according to KELA. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE