A notorious Iranian-backed ransomware group has resurfaced, promising cybercriminals a larger share of the profits than ever before. Pay2Key, now rebranded as Pay2Key.I2P is offering an unprecedented 80% profit share to affiliates who target Israel and the United States.
This shift signals a perilous convergence of financial interests and geopolitical objectives. The group’s aggressive campaign has already netted over $4 million in ransoms in just four months, with individual operators earning up to $100,000.
How does Pay2Key.I2P’s profit model attract cybercriminals?
Unlike traditional ransomware-as-a-service schemes, Pay2Key.I2P offers affiliates a significantly higher 80% share of each ransom, up from the previous 70%.
This higher payout is specifically designed to incentivize attacks against Western targets, particularly those targeting Iran.
The model is more decentralized, allowing developers to profit from successful attacks rather than just selling ransomware tools.
This approach has drawn interest from Russian and Chinese darknet forums, rapidly expanding the affiliate base.
Did you know?
Pay2Key.I2P is the first known ransomware-as-a-service platform to run its infrastructure directly on the privacy-focused I2P network, rather than the more common Tor network.
What makes this ransomware-as-a-service campaign uniquely dangerous?
Pay2Key.I2P is directly linked to the Fox Kitten advanced persistent threat group, known for sophisticated cyber operations. The group has also incorporated features from the Mimic ransomware family, enhancing its technical capabilities and evasion techniques.
The campaign is not just about money. By blending profit incentives with ideological motives, Pay2Key.I2P is fueling a wave of attacks that serve both criminal and state-sponsored objectives, making it especially difficult for defenders to predict and counter.
ALSO READ | Can U.S. Sanctions Against Andariel Disrupt North Korea’s Global Cyber Operations?
Pay2Key.I2P’s technical evolution targets more systems
The latest version of Pay2Key.I2P now supports targeting Linux systems, in addition to Windows. This expansion increases the threat to a wider range of organizations, from traditional enterprises to cloud and infrastructure providers.
The ransomware is delivered via self-extracting archives and employs advanced evasion tactics. It disables Microsoft Defender Antivirus, deletes malicious artifacts, and uses obfuscated scripts to avoid detection and forensic analysis.
Geopolitical motives drive the latest wave of ransomware attacks
Pay2Key.I2P’s resurgence follows heightened tensions after the recent conflict between Israel, Iran, and the U.S. The group’s communications and recruitment efforts clearly encourage attacks against Western interests, blending cybercrime with cyber warfare.
U.S. and Israeli organizations have already been hit, with over 51 ransom payouts reported in four months.
Security experts warn that the group’s use of the I2P network for infrastructure makes tracking and disrupting their operations especially challenging.
As ransomware tactics evolve and affiliate models become more lucrative, organizations across the West face an urgent need to adapt their defenses.
The convergence of ideology and profit in Pay2Key.I2P’s campaign marks a new era of cyber threats, demanding constant vigilance and rapid response.
Comments (0)
Please sign in to leave a comment