Back

Iran-Linked Ransomware Group Targets U.S. Healthcare Provider Amid Rising Tensions

Severity: Medium (Score: 57.0)

Sources: Cybersecuritydive, Industrialcyber.Co, Infosecurity-Magazine, Darkreading, Fdd

Summary

An Iran-linked ransomware group known as Pay2Key targeted a U.S. healthcare provider in late March 2026, gaining access to a compromised administrative account for several days before encrypting it. Forensics teams, including Halcyon and Beazley Security, confirmed that no data was exfiltrated, marking a shift in the group's tactics from data theft to destruction. This attack follows a notable increase in cyber activities by Iran-linked actors against U.S. and Israeli targets following the onset of the Iran war. Pay2Key, which has historically focused on Israeli systems, has redirected its efforts toward U.S. organizations, including schools and healthcare providers. The group has been active since 2020 and previously collaborated with other ransomware groups, sharing a significant portion of ransom proceeds. In 2025, Pay2Key also engaged in aggressive campaigns on Russian cybercrime forums, indicating a shift in operational strategy. The attack is part of a broader trend of increased cyber threats linked to geopolitical tensions in the region. Key Points: • Pay2Key targeted a U.S. healthcare provider, marking a shift in focus from Israeli to U.S. targets. • No data was exfiltrated during the attack, indicating a change in the group's tactics. • The attack follows increased cyber activities by Iran-linked actors amid the Iran war.

Key Entities

  • Data Breach (attack_type)
  • Ransomware (attack_type)
  • Stryker (company)
  • Iran (country)
  • Healthcare (industry)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1033 - System Owner/User Discovery (mitre_attack)
  • T1046 - Network Service Discovery (mitre_attack)
  • Windows (platform)
  • Active Directory (platform)
  • Pay2Key (ransomware_group)
  • Advanced IP Scanner (tool)
  • ExtPassword (tool)
  • LaZagne (tool)
  • Mimikatz (tool)
  • NetScan (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed