Iranian advanced persistent threat (APT) groups have adopted a new operational posture that deliberately blurs the distinction between state-sponsored disruption and financially motivated cybercrime. According to a Dark Reading report citing recent threat intelligence, Iranian actors are deploying pseudo-ransomware — malware that mimics ransomware to mask destructive wiping operations — while simultaneously reviving the Pay2Key ransomware-as-a-cover operation that first emerged in 2020.
Pseudo-Ransomware: Destruction Disguised as Extortion
The term "pseudo-ransomware" refers to malware that presents victims with ransom demands but has no functional decryption capability. Unlike genuine ransomware where the attacker holds decryption keys to monetize the attack, pseudo-ransomware is a wiper — its true purpose is to permanently destroy data and disrupt operations.
Iranian actors have historically favored destructive cyber operations over ransomware monetization, exemplified by operations like Shamoon (targeting Saudi Aramco in 2012), NotPetya (deployed by Russia, but Iran-linked actors have used similar tactics), and various subsequent wiper campaigns against Israeli and Gulf state targets.
The shift to pseudo-ransomware provides several operational benefits for Iranian APTs:
- Deniability — a ransomware attack can be attributed to criminal groups, obscuring state involvement
- Psychological impact — ransom demands add a financial threat on top of operational disruption
- Intelligence value — victims who attempt to pay reveal financial infrastructure and communication channels
- Confusion in attribution — cybercrime and espionage reporting pipelines treat incidents differently, potentially delaying the coordinated government response reserved for nation-state attacks
Pay2Key Revival
Pay2Key first appeared in late 2020 when it was used in campaigns against Israeli companies, with victims receiving ransom demands while attackers collected intelligence and caused operational disruption. The campaign was attributed to an Iran-linked group and distinguished itself by targeting Israeli critical infrastructure and defense contractors.
Recent threat intelligence indicates Pay2Key has been revived with updated tooling and expanded targeting, now including US organizations in addition to Israeli targets. The current Pay2Key activity reportedly shares infrastructure and code characteristics with Fox Kitten (also known as UNC757 or Pioneer Kitten), an Iranian group known for exploiting VPN vulnerabilities to establish long-term access to high-value targets.
The revival coincides with heightened geopolitical tensions involving Iran and aligns with observed patterns of Iran using cyber operations to signal capability and intent without crossing the threshold of kinetic conflict.
Target Sectors
Iranian pseudo-ransomware and Pay2Key activity has been observed targeting:
| Sector | Rationale |
|---|---|
| Defense contractors | Intelligence on military procurement and technology |
| Critical infrastructure | Maximum disruption potential, geopolitical leverage |
| Financial services | Economic impact, intelligence on sanctions evasion |
| Healthcare organizations | High disruption value, pressure for quick resolution |
| Technology companies | Intellectual property, supply chain positioning |
Indicators of Iranian Pseudo-Ransomware Campaigns
Initial Access TTPs
Iranian APT groups targeting organizations for pseudo-ransomware deployment typically gain initial access via:
- VPN and edge device exploitation — Iranian groups have historically been quick to weaponize CVEs in Citrix, Pulse Secure, Fortinet, and similar appliances
- Password spraying — targeting Microsoft 365, Exchange, and VPN portals with known breach credential lists
- Spear-phishing — highly targeted emails against executives and IT administrators with geopolitical lures
- Supply chain compromise — using third-party access or compromised managed service providers
Post-Compromise Behavior
Once inside, Iranian actors typically:
1. Establish multiple persistent backdoors (common tools: Ngrok, Frp, custom implants)
2. Conduct extensive reconnaissance — user lists, network topology, backup configurations
3. Identify and access backup systems (to destroy them before ransomware deployment)
4. Laterally move to domain controllers and ESXi hosts for maximum coverage
5. Stage and deploy pseudo-ransomware payload across all accessible systems simultaneously
6. Present ransom demand with cryptocurrency wallet — often never actually capable of decryptingDifferentiating Pseudo-Ransomware from Genuine Ransomware
Security teams can apply several analytical heuristics to distinguish destructive pseudo-ransomware from financially motivated ransomware:
| Indicator | Genuine Ransomware | Pseudo-Ransomware |
|---|---|---|
| Decryption test offer | Usually provided | Absent or non-functional |
| Communication channel responsiveness | Typically responsive | Often unresponsive or delayed |
| Ransom amount | Calibrated to victim size | May be arbitrary or extremely high |
| Key management infrastructure | Observable (ToR sites, key servers) | Often absent |
| Data destruction pattern | Targeted (valuable files encrypted) | Indiscriminate (all data destroyed) |
| Backup targeting | Often spared for leverage | Actively destroyed |
Detection and Defense Recommendations
Monitor for Pre-Ransomware TTPs
The most effective defense against pseudo-ransomware is detecting the intrusion before the destructive payload is deployed. Key indicators to monitor:
# SIEM detection rules for pre-ransomware staging
- rule: VPN authentication from known Iranian IP ranges
- rule: Multiple failed logins followed by success (password spray)
- rule: Enumeration of backup infrastructure from unexpected hosts
- rule: Large-scale file access or staging (potential data collection)
- rule: Disabling or modification of backup agents
- rule: Volume shadow copy deletion (vssadmin delete shadows /all)
- rule: Bulk network share enumeration (net view, ADFind, BloodHound)Protect Backup Infrastructure
Iranian pseudo-ransomware campaigns specifically target backup systems to prevent recovery. Harden backups:
- Immutable backups — use write-once storage that cannot be deleted via compromised admin credentials
- Offline backups — maintain at least one complete backup physically or logically isolated from the network
- Separate credential domain — backup system administrator credentials must not be accessible from the main AD environment
Patch Edge Devices Immediately
Given Iranian APTs' consistent exploitation of VPN and edge device vulnerabilities:
# Audit exposed services and confirm patch status
# Priority: Citrix NetScaler, Fortinet FortiOS, Ivanti Connect Secure,
# Palo Alto GlobalProtect, Check Point, SonicWall
# Disable any management interfaces exposed to the internet
# Enforce certificate-based authentication for VPN where possibleUS Government Guidance
CISA has previously published advisories specific to Iranian cyber activity, including guidance on Fox Kitten TTPs. Security teams at organizations in the targeted sectors should:
- Review CISA Alert AA20-259A (Fox Kitten) and related Iranian APT advisories for IOCs
- Enroll in CISA's Enhanced Cybersecurity Services (ECS) if eligible
- Report suspected Iranian cyber intrusions to CISA (1-888-282-0870) and the FBI Cyber Division
The State Department's $10 million Rewards for Justice program currently offers rewards for information on Iranian government-directed cyberattacks against US critical infrastructure, reflecting the elevated concern about Iranian cyber operations.
Conclusion
The revival and evolution of Iranian pseudo-ransomware operations represents a calculated strategy by Iranian APT groups to maintain plausible deniability for destructive cyber operations while maximizing strategic impact. For defenders, the critical insight is that a ransomware note does not mean a ransomware actor — the same destructive tools and TTPs can serve state disruption objectives just as easily as criminal monetization. Organizations in high-risk sectors must treat high-impact ransomware incidents with the same urgency as potential nation-state intrusions until attribution is established.
Source: Dark Reading — March 31, 2026