By Tushar Subhra Dutta
Publication Date: 2026-03-25 17:38:00
Linux has long been considered a more secure operating system than Windows, but that reputation is being tested.
A ransomware group known as Pay2Key, attributed to Iranian threat actors, has developed a Linux variant that is actively targeting organizational servers, virtualization hosts, and cloud workloads.
The malware was first detected in the wild in late August 2025, and its technical design shows that its operators built it for scale, reliability, and speed rather than stealth.
Pay2Key is not a new name in the threat landscape. The group had periods of reduced activity, but this Linux-specific variant signals a deliberate shift in targeting strategy.
Unlike traditional ransomware that focuses on desktop environments, Pay2Key’s Linux build goes straight for the infrastructure layer — the servers and systems that organizations depend on daily.
Once it gets inside, it does not just encrypt files; it systematically dismantles the defenses that might slow it down.
Morphisec researchers identified the malware sample and noted that Pay2Key.I2, the Linux variant, is configuration-driven and requires root-level privileges to execute.
This means the ransomware runs with the highest level of system access, giving it full control over the file system and core OS functions.
The operators are not relying on post-execution privilege escalation — they build the payload to run only once full access is already in…