Iran-Linked Pay2Key Ransomware Encrypts Unnamed US Healthcare Provider, Issues No Ransom Demand in Apparent Destructive Operation

In late February 2026, an unnamed U.S. healthcare organization was compromised by Pay2Key, an Iranian state-linked ransomware operation that the FBI, CISA, and Department of Defense Cyber Crime Center jointly assessed in 2024 as an "information operation" aligned with Iran's strategic interests rather than a conventional criminal extortion enterprise. The attack coincided with the opening days of Operation Epic Fury — the U.S.-Israel military campaign against Iran that commenced February 28 — and represents the first confirmed Pay2Key intrusion against a U.S. healthcare target since the conflict began.

According to joint incident response analysis by Halcyon's Ransomware Research Center and Beazley Security, the threat actors first gained access through a compromised administrator account and waited several days before acting — a deliberate pre-deployment reconnaissance phase. When the payload was deployed, the threat actors used TeamViewer — a legitimate remote access tool already installed in the victim's environment — to blend with normal activity and evade endpoint detection. Full environment encryption was completed in approximately three hours, with the active file encryption phase taking roughly one hour. Anti-forensic activity followed, including targeted event log deletion designed to erase traces of the intrusion.

Notably, no data was exfiltrated and no ransom demand was issued — a significant departure from the group's standard double-extortion playbook. Former FBI Cyber Deputy Director Cynthia Kaiser, now SVP at Halcyon, characterized this behavioral shift as alarming: when a group that normally steals data before encrypting skips both steps, the operational objective appears to be disruption and destruction rather than profit.

The new Pay2Key variant used in this attack represented a marked technical advancement over prior campaigns, with improvements in evasion, execution, and anti-forensics that rendered some existing detection signatures ineffective. The incident preceded the March 11 Stryker wiper attack by approximately two weeks, and together the two operations confirm a sustained, deliberate Iranian campaign targeting American healthcare infrastructure as an asymmetric response to U.S. military operations.