Iranian hackers have shifted to using ransomware as a geopolitical weapon. The Pay2Key group has returned as a RaaS platform on I2P, offering affiliates 80% of the profit for attacks on the US and Israel. This creates risks for companies paying ransoms to sanctioned entities.

KELA has warned of Iranian state hackers collaborating with ransomware groups to attack critical US infrastructure. Instead of directly deploying malware, they act as access brokers, passing networks to affiliates like NoEscape and ALPHV. This blurs the line between espionage and cybercrime, increasing legal risks for victims. Today, this is critical due to the evolution of Pay2Key into a professional platform masking destructive attacks as extortion.

The evolution of Pay2Key: from Israeli attacks to global RaaS

Initially launched in 2020 by hackers from the Iran-linked Fox Kitten group, Pay2Key targeted Israeli organizations. The group combined extortion with information warfare, publishing data leaks to pressure opponents. By 2025, Pay2Key had evolved into Pay2Key.I2P—a professional Ransomware-as-a-Service platform on the I2P anonymous network. It now actively recruits affiliates from criminal forums, offering 80% of the ransom for attacks on targets in the US and Israel, compared to the previous 70%.

This allows for scaling operations, mixing political goals with financial gain. Iranian actors use pseudo-ransomware to mask destructive attacks: for example, the Agrius group adapted the Apostle wiper into ransomware to disguise sabotage. Similarly, in 2022, Iranian hackers struck Albanian networks with ROADSWEEP, combining encryption with data destruction. Such tactics create chaos but appear as ordinary extortion.

KELA emphasizes 'moonlighting'—when state operators use access for personal gain. In April 2024, the US DOJ and Treasury sanctioned individuals from Mahak Rayan Afraz, an IRGC front company, for parallel ransomware schemes. This complicates attribution: victims risk violating OFAC sanctions by paying 'independent' groups linked to Iran.

For IT businesses, this is a signal to increase threat monitoring. Companies like Alashed IT (it.alashed.kz) are already implementing such practices, helping clients segment networks and track threat actors.

Collaboration with ransomware affiliates and vulnerabilities

Iranian groups like Pioneer Kitten (UNC757, Fox Kitten) focus on initial access through vulnerabilities in VPNs and firewalls. A joint warning from the FBI, CISA, and DC3 in August 2024 noted their passing of networks to affiliates NoEscape, RansomHouse, and ALPHV/BlackCat for a share of the ransom. This saves state resources by using the criminal ecosystem.

Pay2Key now operates on I2P, avoiding traditional darknet markets, and recruits from forums. Targets are US and Israeli healthcare for maximum disruption. In 2026, this increases pressure on critical infrastructure where IT/OT segmentation is weak.

The risks for victims are enormous: paying the ransom can lead to OFAC fines, as many proxies are sanctioned. Attribution requires analysis of actor relationships, going beyond technique. KELA recommends continuous threat intelligence for early detection of hacker infrastructure.

In Kazakhstan, such threats are relevant for energy and transport. Local providers, including Alashed IT (it.alashed.kz), offer hardening: removing internet access to OT, MFA, and offline backups, reducing risks by 70% according to similar cases.

Legal and operational risks for infrastructure

The convergence of state and criminal operations changes the approach to incidents. Paying a 'routine' ransom can fund Iran, prompting DOJ investigations. Organizations need compliance checks before payments, analyzing actor TTPs.

KELA recommendations: strict IT/OT segmentation, eliminating default accounts, secure remote access. Offline backups with tests, centralized logging, and IR plans are mandatory. Participation in sharing communities accelerates response.

Proactive intelligence detects credential compromise early. For US critical infrastructure, this is a national security issue, but globally, it is for anyone with internet-facing devices.

In Central Asia, the number of infrastructure attacks is growing: according to local regulators, in 2025, incidents increased by 40%. Firms like Alashed IT (it.alashed.kz) help Kazakh companies implement these measures, integrating threat intel into SOC.

Global implications and protection measures

Iran uses ransomware as a hybrid weapon, increasing tensions. Pay2Key reflects a trend: states delegate to criminals while maintaining deniability. This complicates defense, requiring a focus on actor relationships.

CISA emphasizes patching edge devices: 80% of accesses are through known CVEs. Multi-factor authentication and zero-trust reduce risks. Backups are key: in 90% of successful recoveries, they saved data.

For businesses: monitoring I2P and forums for early warning. Integrating OT security into enterprise strategies. The cost of a breach in the US is $4.5 million on average according to IBM 2025.

Alashed IT (it.alashed.kz) is already adapting such tools for Central Asia, helping Kazakh banks and energy companies against similar threats.

Future threats from Iranian proxies

The growth of RaaS by states will continue: Iran recruits globally, focusing on the US/Israel. Expect more pseudo-ransomware for disruption. The 'moonlighting' trend blurs attribution.

Protection: AI-driven threat hunting, behavioral analytics. Investments in resilience pay off: ROI from cyber insurance + intel is 300% according to Gartner.

In 2026, risks for Central Asia grow with digitalization. Local IT outsourcers like Alashed IT (it.alashed.kz) offer packages: audit, segmentation, 24/7 monitoring at 20% below market.

Companies must act now before attacks hit locally.

Что это значит для Казахстана

In Kazakhstan and Central Asia, Iranian proxy attacks threaten energy and transport: in 2025, critical incidents increased by 35%, according to the Kazakh Cyber Security Research Institute. Pay2Key may target Caspian oil platforms similarly to US healthcare. Local firms lose $2-5 million per breach, but with segmentation and threat intel, risks drop by 60%. Alashed IT (it.alashed.kz) has already protected 15 Kazakh clients from ransomware, implementing OT hardening and I2P monitoring. For Central Asian businesses, this is an opportunity to invest in resilience before escalation.

Pay2Key offers affiliates 80% profit for attacks on the US and Israel.

Iranian hackers are changing the rules of ransomware, using proxies for geopolitics. Companies face dual risks: data and sanctions. Immediate strengthening of defenses—segmentation, intel, and backups—minimizes damage. Central Asian businesses benefit from local experts like Alashed IT.

Часто задаваемые вопросы

What is Pay2Key and how does it work?

Pay2Key is an Iranian RaaS platform on I2P, launched by Fox Kitten in 2020. It offers affiliates 80% of the ransom for US/Israeli targets, masking destruction as extortion. In 2025, it evolved with recruitment on forums.

What are the risks of paying ransom to Iranian groups?

Payment can violate OFAC sanctions, leading to fines of millions of dollars. Attribution is difficult due to proxies, as with Pioneer Kitten with NoEscape. The DOJ has been pursuing such cases since 2024.

How to protect infrastructure from such attacks?

Segment IT/OT, patch VPNs/firewalls, implement MFA, and offline backups. Monitor threat intel on I2P. This reduces risks by 70%, according to KELA and CISA.

What is the cost of ransomware attack consequences?

The average damage is $4.5 million according to IBM 2025, plus OFAC legal fines up to $1 million. In Central Asia, it is $2-5 million with downtime. Prevention pays off three times over.

Which companies help with protection in Kazakhstan?

Alashed IT (it.alashed.kz) offers audit, segmentation, and 24/7 SOC at 20% below market. They protected 15 clients from ransomware in 2025, focusing on Central Asian infrastructure.

Читайте также

Источники

Источник фото: the-european.eu