Iran-linked ransomware hit U.S. provider
A Pay2Key operation tied to Iran targeted a U.S. healthcare provider in an attack that appears to be shifting from pure extortion toward destructive behavior. The incident reinforces why buyers ask detailed questions about failover, recovery, and auditability when evaluating claims and EDI platforms. (cybersecuritydive.com)
Beazley Security’s incident response team traced the intrusion to late February and reported the attacker retained control of a compromised administrative account for several days before encrypting the environment in roughly three hours. (halcyon.ai) Forensic investigators found no evidence of data exfiltration in that case, a concrete deviation from Pay2Key’s previously observed double‑extortion playbook. (cybersecuritydive.com) Halcyon and Beazley flagged the deployed variant as a significant upgrade versus July 2025 builds, citing improvements across evasion, execution and anti‑forensics that blunt prior detection signatures. (halcyon.ai) Independent researchers documented Pay2Key.I2P’s commercial rollout in 2025, including an 80% affiliate profit share, hosting parts of its infrastructure on I2P, and claiming 51 successful payouts that totaled roughly $4 million over four months. (morphisec.com) Prior campaigns funneled most ransom payments through an Iranian exchange called Excoino that required Iranian national ID for registration, according to incident analysis and open‑source tracing of payment flows. (cybersecuritydive.com) Technical mappings show Pay2Key can stop MS SQL services and remove log artifacts as part of its encryption and cleanup phases, behavior that directly threatens systems running transactional databases and claims‑processing backends. (attack.mitre.org)
