Menu
Browse

Cyber Threat Actor: Pay2Key

Actor Type Location Known Incidents
 Icon
Nation State
Iran
3 incidents
Profile

Pay2Key, also known as the Pay2Key ransomware group, is an Iran‑linked threat actor that has been publicly associated with the Fox Kitten hacking group. The actor’s operations have focused on Israeli entities across multiple sectors, including cybersecurity firms such as Portnox, defense contractors like Elbit Systems and Israel Aerospace Industries, logistics providers exemplified by ELTA Systems and Amital Data, and high‑technology companies such as Intel‑owned Habana Labs. Public statements and technical analyses have described the group’s primary aim as causing disruption and psychological pressure on Israeli interests rather than pursuing pure financial gain. This view is supported by the modest ransom demands observed in attacks and the practice of publishing leaked data on a leak site to amplify impact. Attribution to Iran is reinforced by the tracing of Bitcoin payments to Iranian exchanges and by assessments from security firms Check Point and Profero that link the activity to Iranian information‑warfare efforts. The group’s activity has been documented since late 2020, with a series of breaches and ransomware incidents reported in December of that year.

Observed tactics involve the deployment of ransomware that encrypts files and creates a data leak site where stolen material is threatened with release unless a Bitcoin payment is made. In the Habana Labs incident, the ransom note demanded several bitcoins and included a 72‑hour ultimatum to halt further leaks. The group has used a client‑server model in some ransomware variants, employing PAExec to distribute a slave.exe executable to workstations from a compromised server. In other campaigns it has relied on standalone ransomware executables distributed to each target machine. Notable publicly reported operations include the December 2020 breach of Portnox that yielded several terabytes of data, the December 2020 intrusion into ELTA Systems’ servers affecting a Jamaican government contract, and the December 2020 ransomware attack on Habana Labs that exfiltrated Windows domain accounts, DNS zone information, Gerrit source‑code listings and business documents. These incidents illustrate a pattern of targeting Israeli technology and defense infrastructure while leveraging ransomware as a vehicle for both coercion and information‑warfare messaging.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
6 sources