Iran-linked Pay2Key targets US healthcare in disruption-focused attack

An Iran-linked ransomware group has targeted a US healthcare provider in a cyberattack that prioritized disruption over data theft.

What happened

According to Cybersecurity Dive, an Iran-linked ransomware group has targeted an unnamed US healthcare provider in a cyberattack that appears tied to escalating geopolitical tensions in the Middle East. According to cybersecurity researchers, the group, tracked as Pay2Key, gained access to a compromised administrative account and maintained access for several days before deploying ransomware. The attackers encrypted the account, disrupting systems within the organization. However, investigators found no evidence that sensitive data was exfiltrated during the incident.

Going deeper

The attack occurred in late February, around the start of the 2026 Iran conflict, and reflects a broader shift in tactics among Iran-linked cyber actors. Historically, groups like Pay2Key focused heavily on Israeli targets, but recent intelligence suggests a pivot toward US organizations.

Security experts believe the operation may signal a move away from financially motivated cybercrime toward more disruptive or destructive objectives. Instead of stealing data for extortion, the attackers appear to have prioritized system disruption, using ransomware as a tool for impact rather than profit.

What was said

According to Cybersecurity Dive, Johnny Collins, director of intelligence operations at Halcyon, highlighted how the incident deviates from traditional ransomware playbooks, noting that the attackers carried out “stealthy encryption without data exfiltration.”

Collins countered the assumption that the group had gone quiet in recent years, stating that Pay2Key “has not been dormant.” Instead, he explained that the group appears to have evolved its tactics and re-emerged with a sharper focus on US targets, particularly within critical infrastructure sectors like healthcare.

In the know

Pay2Key is an Iran-linked ransomware group that first appeared in 2020, initially targeting Israeli organizations before expanding its focus to US sectors, including healthcare. The group is widely believed to have ties to Iranian state-backed cyber actors.

Pay2Key blends cybercrime with geopolitical objectives, which is how it differs from typical ransomware gangs driven purely by profit. While it has used traditional tactics like data theft and extortion, recent activity suggests a shift toward disruption-focused attacks, where the goal is to damage systems rather than demand payment.

The group has also evolved technically, adopting models like ransomware-as-a-service (RaaS) and using more covert infrastructure to evade detection, making it a persistent and increasingly strategic threat.

The bigger picture

Recently, Stryker, one of the world's largest device manufacturers, experienced a cyberattack backed by Iran-linked threat actors, highlighting a growing pattern of politically motivated cyber operations targeting healthcare and its supply chain. The attack was claimed by Handala, a hacking group widely believed to be tied to Iran’s Ministry of Intelligence, and caused widespread disruption to the company’s internal systems and operations.

This incident closely mirrors the recent ransomware attack carried out by Pay2Key, another group long associated with Iranian cyber operations. Although Pay2Key has, at times, operated like a traditional ransomware group, researchers note its historical links to Iranian activity and its targeting of geopolitical adversaries.

Go deeper: Stryker Iran-linked attack wiped tens of thousands of devices, reports say

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is ransomware?

Ransomware is a type of malicious software that blocks access to systems or data, usually by encrypting files, until a ransom is paid to the attacker.

What is the difference between financially motivated ransomware and disruption-focused ransomware?

Financially motivated ransomware aims to steal or encrypt data to demand payment, whereas disruption-focused ransomware targets systems primarily to cause operational chaos or send a political message.

Is paying the ransom recommended?

Authorities generally discourage paying ransoms, as it does not guarantee data recovery and may encourage further attacks.