CyberShelter Threat Brief: PAY2KEY Ransomware Returns with Advanced Anti-Forensic Capabilities and Rapid Enterprise Encryption
A state-linked ransomware campaign combines espionage tactics with high-speed encryption, targeting critical infrastructure and healthcare
CyberShelter Threat Intelligence has identified renewed activity from the PAY2KEY ransomware group, a threat actor linked to Iranian state interests.
This campaign demonstrates a dangerous evolution—blending cyber espionage techniques with ransomware execution, enabling attackers to remain undetected, harvest credentials, and launch rapid encryption within hours.
Key concerns include:
- Encryption completed in approximately 3 hours
- Advanced anti-forensic techniques to erase evidence
- Abuse of legitimate administrative tools
- Targeting of healthcare and critical infrastructure sectors
CyberShelter classifies this threat as CRITICAL, requiring immediate defensive action.
Threat Overview
- Threat Name: PAY2KEY Ransomware
- Type: Ransomware / Cyber Espionage
- Attribution: Iranian state-linked actor
- Primary Targets: Healthcare, critical infrastructure
- Encryption Speed: ~3 hours
- MITRE Impact: Data Encrypted for Impact (T1486)
Campaign Intelligence
This campaign reflects a high level of operational maturity.
Attackers:
- Maintain dormant access before execution
- Harvest credentials before launching ransomware
- Use stealth techniques to avoid early detection
- Execute rapid encryption to bypass response timelines
- Destroy forensic evidence after attack completion
Threat Characteristics
- Sophistication: High
- Speed: Extreme
- Stealth: High
- Anti-Forensics: Advanced
- Business Impact: Critical
Attack Kill Chain
Initial Access
Attackers gain entry through:
- Compromised administrative accounts
- Initial access brokers
- Exposed remote services
- Weak privileged access controls
Persistence (Living-off-the-Land)
Instead of deploying obvious malware, attackers abuse legitimate tools like:
- TeamViewer (already present in the environment)
This reduces detection and blends activity with normal operations.
Credential Access
Tools observed:
- Mimikatz
- LaZagne
- ExtPassword
Objective:
- Extract credentials
- Prepare for privilege escalation and lateral movement
Discovery
Attackers map the environment using:
- Advanced IP Scanner
- NetScan
- Active Directory tools
They specifically identify high-value systems before encryption.
Execution Phase
- PowerShell-based execution
- Backup discovery and targeting
- Hypervisor and virtual infrastructure analysis
- File indexing prior to encryption
Encryption Phase
- Algorithm: ChaCha20
- Key Exchange: Curve25519
- Model: Hybrid fast encryption
- File Extension:.6zldh_p2k
- Active Encryption Time: ~1 hour
Anti-Forensic Capabilities
PAY2KEY demonstrates advanced evidence destruction techniques, making post-incident analysis extremely difficult.
Observed Techniques
- Windows event log wiping
- Backup deletion
- Microsoft Defender disablement
- Recovery environment disabling
- Artifact cleanup
- BitLocker suspension
Key Commands Used
- wevtutil.exe cl security/system/application
- wbadmin.exe DELETE SYSTEMSTATEBACKUP
- bcdedit.exe /set recoveryenabled no
- powercfg.exe -H off
Attackers typically wipe logs as a final step, eliminating traces of activity.
Indicators of Compromise (IOC Highlights)
Behavioral Indicators
- TeamViewer spawning command shells or PowerShell
- Unexpected execution of wbadmin.exe, bcdedit.exe, or wevtutil.exe
- BitLocker suspension or backup deletion activity
- Hyper-V shutdown or virtual disk manipulation
File Indicators
- Files with extension: .6zldh_p2k
- Suspicious executables like browser.exe or abc.exe in user directories
Tooling Indicators
- Credential dumping tools (Mimikatz, LaZagne)
- Network scanning tools (NetScan, Advanced IP Scanner)
Detection & Hunting Opportunities
Security teams should prioritize:
- Monitoring parent-child process anomalies
- TeamViewer → cmd.exe / PowerShell
- Detecting log clearing activities post file modifications
- Alerting on backup deletion and recovery tampering
- Tracking abnormal administrative tool usage
CyberShelter Recommendations
Immediate Actions (0–24 Hours)
- Audit and restrict TeamViewer and remote access tools
- Hunt for IOCs across endpoints and SIEM
- Monitor privileged account activity
- Validate backup integrity and availability
Short-Term Actions
- Enable Credential Guard
- Restrict LSASS access
- Deploy behavioral EDR detection rules
- Test recovery and restoration processes
Strategic Improvements
- Implement Privileged Access Management (PAM)
- Enforce Just-In-Time (JIT) access controls
- Strengthen network segmentation
- Enforce MFA across all critical systems
- Develop and test incident response playbooks
Strategic Insight
PAY2KEY represents a new class of ransomware:
Fast, stealthy, and strategically aligned with geopolitical objectives.
This is no longer just about encryption—it is about:
- Intelligence gathering before attack
- Maximum operational disruption
- Minimal forensic visibility
Organizations must shift from reactive defense to proactive threat hunting and resilience planning.
Because in today’s threat landscape,
speed and stealth define the success of ransomware attacks.