Pay2Key Ransomware Targets Linux Servers, Virtualization, and Cloud Workloads
Key Takeaways Pay2Key, a ransomware group linked to Iranian actors, has launched a new Linux variant specifically designed to target servers, virtualization hosts, and cloud environments. This Linux...
Key Takeaways
- Pay2Key, a ransomware group linked to Iranian actors, has launched a new Linux variant specifically designed to target servers, virtualization hosts, and cloud environments.
- This Linux ransomware, first observed in August 2025, prioritizes speed and reliability, aiming for maximum impact on critical infrastructure rather than stealth.
- The malware requires root-level privileges for execution, actively disables key Linux security frameworks like SELinux and AppArmor, and establishes persistence via cron jobs.
- Its sophisticated encryption mechanism, utilizing ChaCha20, and selective file targeting make data recovery without the decryption key highly improbable.
- The emergence of Pay2Key’s Linux variant highlights a growing gap in public cybersecurity research and organizational preparedness for Linux-specific ransomware threats.
Pay2Key Ransomware Shifts Focus to Linux Infrastructure
The long-held belief that Linux operating systems are inherently more secure than their Windows counterparts is facing a severe challenge. A new, potent variant of Pay2Key ransomware has emerged, specifically engineered to compromise Linux servers, virtualization platforms, and cloud workloads. This development signals a critical evolution in the threat landscape, demonstrating that the historical security advantages of Linux are no longer an impenetrable barrier against sophisticated cyberattacks.
Table Of Content
The ransomware, attributed to Iranian threat actors operating under the Pay2Key moniker, was first identified in the wild in late August 2025. Its technical architecture reveals a design focused on rapid execution and broad impact across critical organizational infrastructure, rather than covert operations. This marks a significant strategic pivot for the Pay2Key group, which has previously exhibited varying levels of activity.
Targeting Critical Infrastructure
Unlike many traditional ransomware strains that primarily target desktop environments, the Linux build of Pay2Key directly assaults the foundational layers of an organization’s IT infrastructure. This includes servers hosting vital databases, application backends, and virtual machines. Cloud workloads, which are increasingly integral to business continuity, are equally vulnerable. The malware is designed not merely to encrypt files but to systematically dismantle the underlying security mechanisms that could impede its progress.
Researchers at Morphisec, who analyzed the malware sample, designated the Linux variant as Pay2Key.I2. They noted its configuration-driven nature and its absolute requirement for root-level privileges to initiate execution. This means the ransomware operates with the highest possible system access, granting it complete control over the file system and core operating system functions. The attackers are not relying on post-execution privilege escalation; instead, the payload is designed to activate only once full administrative access has already been secured.
The implications for organizations relying on Linux-based infrastructure are substantial. The malware’s sophisticated ability to classify various types of mounted file systems and selectively encrypt them enables it to inflict maximum damage while potentially keeping the host operational enough to display a ransom demand. This strategic approach complicates recovery efforts and increases the pressure on victims.
A broader concern highlighted by this incident is the relatively scarce public research available on Linux ransomware. Pay2Key’s Linux variant serves as a stark reminder that threat actors are actively developing tools to exploit this knowledge gap, targeting systems that many organizations may not be adequately prepared to defend.

Encryption Mechanism and Defense Evasion
Before initiating its encryption routine, Pay2Key systematically prepares the environment to neutralize potential defenses. The malware terminates active processes, halts running services, and disables two critical Linux security frameworks: SELinux and AppArmor. This preemptive action effectively strips the compromised host of its active security protections, paving the way for unimpeded encryption.
To ensure its continued presence, the ransomware establishes a persistence mechanism by installing a cron entry that re-triggers its execution upon system restart. This tactic means that even if a system administrator identifies an anomaly and reboots the server, the ransomware will resume its malicious activities.
For file targeting, Pay2Key meticulously enumerates /proc/mounts to construct a comprehensive map of the file system. It intelligently filters out pseudo-filesystems and categorizes mounts as read-only, removable, or other types. The ransomware completely bypasses read-only mounts and, during its per-file processing, deliberately avoids ELF and MZ binaries, as well as zero-length files. This selective targeting strategy is designed to minimize the risk of crashing the host system mid-operation, ensuring the ransom demand can be delivered effectively.
The encryption process leverages the robust ChaCha20 algorithm, operating in either full-file or partial mode as dictated by its configuration. A hardcoded string, “DontDecompileMePlease,” is embedded within the binary. This string plays a crucial role in both the derivation of metadata keys and the validation of the metadata layout. Unique per-file keys are generated and stored within an obfuscated metadata block, rendering data recovery virtually impossible without the master decryption key.
What You Should Do
- Enforce strict access controls and regularly audit accounts with root-level privileges on Linux-based infrastructure.
- Disable or severely restrict the ability to create cron jobs for non-administrative users to mitigate persistence mechanisms.
- Implement active monitoring for any unexpected disabling or modification of SELinux or AppArmor, as these are strong indicators of ransomware activity.
- Maintain robust, offline, and immutable backups of all critical data to ensure recovery capabilities without resorting to ransom payments.
- Stay informed about emerging Linux-specific threats and ensure security teams are trained and equipped to detect and respond to such attacks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.