Iranian Threat Actors Deploying Pseudo-Ransomware

Iranian threat actors have increasingly adopted ransomware-like tactics. These are not purely criminal enterprises, but instruments of statecraft. Over the past several years, and especially amid escalating geopolitical tensions, these actors have refined a hybrid model, which blends cybercrime techniques with strategic objectives.

This evolution has produced what researchers now describe as "pseudo-ransomware" - a form of attack that mimics traditional ransomware, but often prioritizes disruption, espionage, or coercion over financial gain. Examining operations such as Pay2Key and broader Iranian cyber activity shows that ransomware has become a flexible, weaponized tool in Iran's cyber arsenal.

Iranian cyber operations have historically focused on espionage and disruption by state-aligned APT groups. Recent reporting highlights a shift to adopting cybercriminal tactics, notably ransomware. Instead of building large-scale criminal operations like Eastern Europeans, Iranian actors blend APT techniques with cybercrime.

This shift reflects both strategic necessity and opportunity. Sanctions and geopolitical isolation have incentivized Iran to leverage asymmetric tools. Ransomware provides a scalable, deniable, and high-impact mechanism. By adopting ransomware-as-a-service (RaaS) models, recruiting affiliates, and collaborating with foreign cybercriminals, Iranian actors can extend their reach. At the same time, they maintain plausible deniability.

Central to this evolution is Pay2Key, a ransomware operation widely attributed to Iranian state-backed groups. First seen in 2020, targeting Israeli organizations, Pay2Key has reemerged with greater capabilities and a wider geopolitical focus.

Pay2Key exemplifies how Iranian actors have redefined ransomware. It operates as a RaaS platform and offers financial incentives to affiliates. Its campaigns are closely aligned with Iranian geopolitical objectives. In 2025, the group increased affiliate profit-sharing to as high as 80% for attacks targeting Western adversaries. This explicitly ties financial rewards to political alignment.

More recently, Pay2Key has shifted toward what researchers call "pseudo-ransomware." In these attacks, encryption is used not primarily for extortion, but as a means of disruption or destruction. This distinction is critical. Traditional ransomware relies on data theft and threats of public leaks to coerce victims into paying. In contrast, Iranian pseudo-ransomware operations may forgo data exfiltration entirely. They focus instead on operational impact.

A 2026 attack on a US healthcare provider exemplifies this shift. Attackers encrypted systems and caused disruption without stealing data or seeking extortion. Investigators saw the operation as prioritizing damage over profit, breaking from the standard ransomware model.

This approach blurs the line between ransomware and wiper malware. The technical mechanisms resemble ransomware. However, the strategic intent aligns more closely with sabotage. As a result, organizations may misinterpret these attacks as financially motivated. In fact, they serve broader geopolitical goals.

Blurring the Line Between Crime and Statecraft

The blurring of cybercrime and statecraft is exemplified in a recent report published by Kela. One significant development in Iranian cyber operations is the deliberate blending of state-sponsored activity with cybercrime. Iranian groups have increasingly acted as initial access brokers (IABs), providing footholds in victim networks to other ransomware operators. This model allows Iran to monetize access. It also enables disruptive attacks against its adversaries.

Additionally, Iranian actors have recruited affiliates from underground forums, including Russian cybercriminal communities. These partnerships expand operational capacity. They also introduce new tactics, techniques, and procedures (TTPs) into Iranian campaigns. The result is a more dynamic and unpredictable threat landscape.

This convergence of cybercrime and state activity creates significant challenges for defenders. Attribution becomes more complex, as attacks may involve multiple actors with overlapping motivations. Organizations that pay ransoms risk violating sanctions if funds are traced back to state-linked entities.

The implications extend beyond technical security. Legal, regulatory, and geopolitical considerations now play a central role in incident response. This is especially true in ransomware incidents involving nation-state actors.

Iranian ransomware-like campaigns exhibit several distinguishing characteristics that set them apart from traditional cybercriminal operations:

• Ideological Targeting: Iranian actors focus on adversaries such as the United States, Israel, and allies.
• Disruption Over Profit: Many attacks prioritize operational impact, using encryption for sabotage.
• Hybrid Business Models: Operations combine elements of RaaS, affiliate programs, and state-directed missions. They often incentivize attackers based on political objectives.
• Stealth and Persistence: Iranian groups often maintain access before deploying ransomware, enabling targeted attacks.

These tactics show a strategic shift toward integrating cyber operations into national defense and offense.

Iran's use of ransomware-like tactics cannot be understood in isolation. It is part of a larger cyber-kinetic strategy—digital operations support physical and geopolitical objectives. For example, Iranian actors have used cyber capabilities to support military targeting and battle damage assessment. This demonstrates a high level of integration between cyber and kinetic domains.

Within this framework, ransomware serves multiple purposes. It can disrupt critical infrastructure or create economic pressure. It can also signal capability without escalating to direct military confrontation. Ransomware provides a layer of deniability, as attacks can be attributed to criminal groups rather than state actors.

This strategic flexibility makes ransomware attractive for Iran. Unlike traditional cyber espionage, which operates in the shadows, ransomware campaigns can generate visible impact and psychological effects. Victims experience immediate disruption. Broader audiences observe the consequences. This amplifies the operation's strategic value.

Iranian threat actors have transformed ransomware from a purely criminal enterprise into a versatile instrument of state power. Through operations like Pay2Key, they have shown that ransomware can serve geopolitical objectives. It blends financial incentives with strategic intent. The rise of pseudo-ransomware underscores this evolution and reveals a shift toward disruption and destruction rather than profit.

As the lines between cybercrime and state-sponsored activity continue to blur, organizations face a more complex and dangerous threat landscape. Iranian actors have shown that ransomware is no longer just about money. It is now a tool of influence, coercion, and warfare. Understanding this shift is essential for developing effective defenses and responding to the next generation of cyber threats.