A U.S. healthcare organization was targeted in late February by an Iranian ransomware gang with ties to the country’s government, according to a new report.

Incident responders at Beazley Security helped the unnamed healthcare organization deal with an attack involving the Pay2Key ransomware — a strain used by Iranian actors for a variety of purposes since 2020.

Halcyon Ransomware Research Center assisted in the investigation and found several improvements in the ransomware that made it tougher to detect and more damaging. 

The incident responders noted that there was no evidence that data was exfiltrated during the intrusion — an unusual development considering U.S. intelligence agencies previously said Pay2Key attacks were largely conducted for information theft. 

The researchers noted that Pay2Key has increased its activity following the recent military conflict between the U.S and Iran. Halcyon experts said the group “does not always appear to prioritize extortion and financial gain over the destruction of victim environments for strategic impact.”

“This pattern suggests motivations that extend well beyond typical financially driven ransomware operations,” they said. 

Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center, said it appears the ransomware attack happened concurrently to the military conflict initiating with Iran but questioned the motives of the incident.

“Is the group just seeking to maximize money among chaos? This is a group that does work on behalf of the government, but not always,” said Kaiser, who previously was deputy assistant director in the FBI’s Cyber Division. 

The investigation into the incident revealed that the hackers had compromised an administrative account on the victim’s network several days before deploying the ransomware and encrypting the environment. 

Incident responders also found that the hackers sought to clear all traces of their activity and event logs after encryption. 

Expanded targeting

Halcyon said Pay2Key has been navigating through a period of chaos since last year. It began marketing itself heavily on Russian cybercriminal forums during the summer, at times offering to sell the entire operation for 0.15 BTC while also actively seeking to bring affiliates on board. 

In July 2025 the group changed its internal rules and offered affiliates 80% of ransoms obtained instead of the previous 70%. At least one Russian security company claimed the group was beginning to target Russian businesses. 

Kaiser said the potential sale was likely a smokescreen considering the group still largely conducts attacks alongside Iranian kinetic conflicts. But Halcyon noted that the group’s potential ties to Russian cybercriminal gangs raise “unresolved questions about the current ownership, operational control, and future trajectory of the group’s RaaS platform.”

Despite the upheaval, Pay2Key was still conducting successful attacks. Cybersecurity firm Morphisec tracked 51 ransom payments to the group during a four-month stretch in the summer of 2025 amounting to about $4 million. Since then, the group has targeted 170 victims and brought in $8 million in ransom payments. 

The group emerged in 2020 and blockchain researchers found several ransom payments that came from Israeli victims routed through Excoino, an Iranian cryptocurrency exchange requiring Iranian national ID for account registration.

The 2024 U.S. advisory said Pay2Key coordinated with other ransomware gangs and targeted organizations in the U.S., Israel, Azerbaijan and the United Arab Emirates.

“So it's really consistent with more of an Iranian government operation that's also making money on the side,” Kaiser said in an interview. 

Experts warned at the onset of hostilities between the U.S. and Iran that cyberattacks would be a key component of the conflict.

The attack on the U.S. healthcare firm took place before the headline-grabbing incident involving Stryker, a U.S. medical device company. That attack, which was claimed by another Iranian group known as Handala, caused widespread chaos when hackers wiped 200,000 company devices. 

Kaiser said the public should assume other Iranian cyberattacks are happening but have not been made public. Attacks like the one on Stryker have broader implications that could not be kept out of public light, she explained. 

“Some attacks may have more limited impact, and so there isn't going to be as much publicity around that, but you have to assume that Iran is looking for targets, seeking out what they can do,” she said. “And my assumption is that it's a combination of wiper attacks, ransomware attacks, and attempting to target critical infrastructure through unpatched vulnerabilities.”