Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Pay2Key Ransomware Targets Linux Servers, Virtualization, and Cloud Workloads
Threats

Pay2Key Ransomware Targets Linux Servers, Virtualization, and Cloud Workloads

Key Takeaways Pay2Key, a ransomware group linked to Iranian actors, has launched a new Linux variant specifically designed to target servers, virtualization hosts, and cloud environments. This Linux...

Emy Elsamnoudy
Emy Elsamnoudy
March 25, 2026 4 Min Read
53 0

Key Takeaways

  • Pay2Key, a ransomware group linked to Iranian actors, has launched a new Linux variant specifically designed to target servers, virtualization hosts, and cloud environments.
  • This Linux ransomware, first observed in August 2025, prioritizes speed and reliability, aiming for maximum impact on critical infrastructure rather than stealth.
  • The malware requires root-level privileges for execution, actively disables key Linux security frameworks like SELinux and AppArmor, and establishes persistence via cron jobs.
  • Its sophisticated encryption mechanism, utilizing ChaCha20, and selective file targeting make data recovery without the decryption key highly improbable.
  • The emergence of Pay2Key’s Linux variant highlights a growing gap in public cybersecurity research and organizational preparedness for Linux-specific ransomware threats.

Pay2Key Ransomware Shifts Focus to Linux Infrastructure

The long-held belief that Linux operating systems are inherently more secure than their Windows counterparts is facing a severe challenge. A new, potent variant of Pay2Key ransomware has emerged, specifically engineered to compromise Linux servers, virtualization platforms, and cloud workloads. This development signals a critical evolution in the threat landscape, demonstrating that the historical security advantages of Linux are no longer an impenetrable barrier against sophisticated cyberattacks.

Table Of Content

  • Key Takeaways
  • Pay2Key Ransomware Shifts Focus to Linux Infrastructure
  • Targeting Critical Infrastructure
  • Encryption Mechanism and Defense Evasion
  • What You Should Do

The ransomware, attributed to Iranian threat actors operating under the Pay2Key moniker, was first identified in the wild in late August 2025. Its technical architecture reveals a design focused on rapid execution and broad impact across critical organizational infrastructure, rather than covert operations. This marks a significant strategic pivot for the Pay2Key group, which has previously exhibited varying levels of activity.

Targeting Critical Infrastructure

Unlike many traditional ransomware strains that primarily target desktop environments, the Linux build of Pay2Key directly assaults the foundational layers of an organization’s IT infrastructure. This includes servers hosting vital databases, application backends, and virtual machines. Cloud workloads, which are increasingly integral to business continuity, are equally vulnerable. The malware is designed not merely to encrypt files but to systematically dismantle the underlying security mechanisms that could impede its progress.

Researchers at Morphisec, who analyzed the malware sample, designated the Linux variant as Pay2Key.I2. They noted its configuration-driven nature and its absolute requirement for root-level privileges to initiate execution. This means the ransomware operates with the highest possible system access, granting it complete control over the file system and core operating system functions. The attackers are not relying on post-execution privilege escalation; instead, the payload is designed to activate only once full administrative access has already been secured.

The implications for organizations relying on Linux-based infrastructure are substantial. The malware’s sophisticated ability to classify various types of mounted file systems and selectively encrypt them enables it to inflict maximum damage while potentially keeping the host operational enough to display a ransom demand. This strategic approach complicates recovery efforts and increases the pressure on victims.

A broader concern highlighted by this incident is the relatively scarce public research available on Linux ransomware. Pay2Key’s Linux variant serves as a stark reminder that threat actors are actively developing tools to exploit this knowledge gap, targeting systems that many organizations may not be adequately prepared to defend.

High-Level Attack Chain of Pay2Key Linux Ransomware Variant (Source - Morphisec)
High-Level Attack Chain of Pay2Key Linux Ransomware Variant (Source – Morphisec)

Encryption Mechanism and Defense Evasion

Before initiating its encryption routine, Pay2Key systematically prepares the environment to neutralize potential defenses. The malware terminates active processes, halts running services, and disables two critical Linux security frameworks: SELinux and AppArmor. This preemptive action effectively strips the compromised host of its active security protections, paving the way for unimpeded encryption.

To ensure its continued presence, the ransomware establishes a persistence mechanism by installing a cron entry that re-triggers its execution upon system restart. This tactic means that even if a system administrator identifies an anomaly and reboots the server, the ransomware will resume its malicious activities.

For file targeting, Pay2Key meticulously enumerates /proc/mounts to construct a comprehensive map of the file system. It intelligently filters out pseudo-filesystems and categorizes mounts as read-only, removable, or other types. The ransomware completely bypasses read-only mounts and, during its per-file processing, deliberately avoids ELF and MZ binaries, as well as zero-length files. This selective targeting strategy is designed to minimize the risk of crashing the host system mid-operation, ensuring the ransom demand can be delivered effectively.

The encryption process leverages the robust ChaCha20 algorithm, operating in either full-file or partial mode as dictated by its configuration. A hardcoded string, “DontDecompileMePlease,” is embedded within the binary. This string plays a crucial role in both the derivation of metadata keys and the validation of the metadata layout. Unique per-file keys are generated and stored within an obfuscated metadata block, rendering data recovery virtually impossible without the master decryption key.

What You Should Do

  • Enforce strict access controls and regularly audit accounts with root-level privileges on Linux-based infrastructure.
  • Disable or severely restrict the ability to create cron jobs for non-administrative users to mitigate persistence mechanisms.
  • Implement active monitoring for any unexpected disabling or modification of SELinux or AppArmor, as these are strong indicators of ransomware activity.
  • Maintain robust, offline, and immutable backups of all critical data to ensure recovery capabilities without resorting to ransom payments.
  • Stay informed about emerging Linux-specific threats and ensure security teams are trained and equipped to detect and respond to such attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareransomwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

macOS Security Gaps: How SOC Teams Close Them in 2026

Next Post

China-Linked Hackers Target Southeast Asian Military Systems in Ongoing Espionage Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us