Cybersecurity researchers at F6 have identified a concerning new ransomware-as-a-service (RaaS) operation called Pay2Key, which has begun actively targeting Russian businesses in violation of traditional cybercriminal codes. Built upon the notorious Mimic malware framework, this emerging threat represents a significant shift in the ransomware landscape, particularly regarding previously “protected” territories.
Breaking Cybercriminal Conventions: Russian Organizations Under Attack
What makes Pay2Key particularly alarming is its operators’ deliberate disregard for the unwritten rules of the cybercriminal underground, where Russian organizations were traditionally considered off-limits. Security analysts have documented at least three targeted campaigns against Russian enterprises during spring 2025, affecting critical economic sectors including retail, financial services, information technology, and construction.
The ransomware first surfaced in February 2025 when a user identified as “lsreactive” posted promotional content on specialized hacking forums, announcing the launch of this new RaaS project. This marked the beginning of what would become a sustained campaign against Russian business infrastructure.
Financial Incentives Driving Criminal Recruitment
Pay2Key’s operators have structured their affiliate program with attractive financial incentives to recruit cybercriminals. Underground forum advertisements promise average monthly earnings of approximately 16500 euro for active participants, making this RaaS platform highly appealing to potential threat actors seeking profitable criminal opportunities.
The ransomware demands relatively modest ransom payments averaging around 1800 euro per victim, a strategic pricing approach that maintains profitability while remaining within the financial reach of targeted businesses. This pricing model increases the likelihood of payment compliance compared to higher-demand ransomware operations.
Technical Infrastructure and Distribution Methods
Pay2Key operates through the I2P (Invisible Internet Project) anonymous network, providing enhanced operational security for its criminal operators. The threat actors employ a sophisticated toolkit including SFX archives, phishing campaigns, legitimate utilities, and advanced anti-detection technologies to maximize their attack success rates.
To evade security solutions, the malware developers utilize Themida protector technology, significantly complicating detection and analysis efforts by cybersecurity professionals. This protection mechanism represents a serious challenge for traditional antivirus solutions and behavioral analysis tools.
Encryption Implementation and Architecture
Following its Mimic predecessor’s design philosophy, Pay2Key distributes as self-extracting 7-Zip archives. The malware leverages the legitimate Everything search utility and its API to identify files for encryption, demonstrating the threat actors’ preference for living-off-the-land techniques.
The ransomware implements ChaCha20 stream cipher encryption for file encryption, combined with Elliptic Curve Diffie-Hellman (ECDH) X25519 key exchange protocols. A distinctive feature of Pay2Key is its use of pre-generated session keys embedded within the malware code, differentiating it from conventional ransomware encryption approaches and potentially complicating decryption efforts.
Rapid Development Cycle: Version Evolution
Since its February debut, Pay2Key has demonstrated active development with rapid version iterations. The initial version 1.1 has evolved to the current version 1.2, indicating continuous improvement and feature enhancement by the development team. This rapid evolution suggests sustained investment in the platform’s capabilities and longevity.
Attack Methodologies and Phishing Campaigns
Pay2Key primarily infiltrates Russian organizations through carefully orchestrated phishing campaigns. The documented March and May attacks focused on retail enterprises, construction companies, and software development firms, while April campaigns specifically targeted financial sector organizations.
The threat actors demonstrate creativity in their social engineering approaches, crafting phishing emails with diverse themes ranging from standard business proposals and credential verification requests to unusual topics such as “barbed wire fencing” and “memorial complex well monuments”. This variety helps evade email security filters and increases the likelihood of successful social engineering.
The emergence of Pay2Key reflects broader trends in ransomware evolution, where new threat groups increasingly abandon traditional territorial restrictions to compete in the lucrative cybercrime marketplace. Organizations must strengthen their defensive postures through comprehensive employee security awareness training, robust email security solutions, and multi-layered cybersecurity architectures. As ransomware operations continue targeting previously protected regions, businesses must adapt their security strategies to address these evolving threats while maintaining operational resilience against sophisticated criminal enterprises.
