TL/DR –
An Iran-linked ransomware group named Pay2Key targeted a U.S. healthcare provider prior to the Iran war, gaining access to a compromised administrative account for several days and then encrypting the account, according to a report from Halcyon. Investigators found no evidence of data theft, marking a shift from the group’s prior extortion-focused attacks and suggesting a new focus on destruction. Additionally, Pay2Key has historically targeted Israeli systems but appears to have shifted its attention towards the U.S.
An Iran-Linked Ransomware Group Targets U.S. Healthcare Provider
An unnamed U.S. healthcare provider fell victim to a cyber attack by an Iran-linked ransomware group, Pay2Key, as reported by Halcyon. The group infiltrated a compromised administrative account, encrypting it for several days. This recent attack signifies a shift in the group’s focus from extortion to destruction.
Previously known for targeting Israeli systems, Pay2Key appears to have shifted its attention towards U.S. organizations. “Pay2Key has not been dormant but has actively shifted to targeting U.S. organizations,” said Johnny Collins, director of intelligence operations at Halcyon.
Handala, another state-linked group, recently disrupted operations at Stryker, a prominent U.S. medical technology manufacturer. In 2020, Pay2Key emerged when Check Point Research and Whitestream discovered its ransomware attacks against Israeli firms.
Most of Pay2Key’s ransom payments were funneled through an Iranian company, Excoino, according to Halcyon. By 2024, the FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Defense issued a joint advisory warning about the group, also known as Fox Kitten.
Pay2Key has targeted numerous U.S. organizations, including defense industry firms, healthcare providers, and municipal governments. Furthermore, the group frequently collaborated with other ransomware groups, sharing over 70% of the proceeds.
Pay2Key’s Aggressive Campaigns and Associates
In 2025, Pay2Key launched an aggressive campaign on Russian cybercrime forums, attempting to sell its infrastructure. “Currently, we do not have clear indications linking its activity to Iran.”–Sergey Shykevich, threat intelligence group manager at Check Point Research. Over a four-month period, Morphisec tracked the group, estimating that it collected about $4 million from 51 ransoms.
—
Read More Health & Wellness News ; US News