Pay2Key’s New Linux Ransomware Strips Server Defenses to Hijack x64 and ARM64 Infrastructure
Ddos 
Pay2Key Linux installation script | Image: Morphisec
The landscape of Linux-based threats is shifting. While historically under-documented compared to Windows counterparts, a new report from Morphisec Threat Labs highlights a sophisticated evolution in the arsenal of the Iranian-attributed group, Pay2Key. This latest analysis of a Linux variant, detected in late August 2025, reveals a “mature, maintained build pipeline” designed to strike at the heart of enterprise infrastructure.
The Pay2Key.I2P ransomware isn’t just a simple port; it is a configuration-driven tool engineered for broad impact. It arrives via a shell script that fingerprints the host’s CPU architecture before downloading necessary archiving software.
The delivery mechanism is particularly notable for its dual-architecture approach, containing executables for both x64 and ARM64. As Morphisec’s lead author Ilia Kulmin notes:
“This dual-architecture approach signals deliberate operator intent to cover heterogeneous Linux infrastructure, including both traditional servers and ARM-based workloads, from a single delivery mechanism.”
Before a single byte is encrypted, the malware ensures it has total control. It enforces a strict requirement for root privileges; if it isn’t running with top-level access, it exits immediately. Once confirmed, it initiates a “disruptive preparation phase”. This includes:
- Weakening Defenses: Running commands like setenforce 0 to put SELinux into permissive mode and disabling AppArmor.
- Persistence: Creating cron jobs to ensure the malware remains on the system.
- Service Disruption: Terminating specific processes and stopping systemd services defined in its JSON configuration.
The encryption process itself is highly efficient, utilizing the ChaCha20 algorithm. It intelligently classifies mounts—prioritizing removable devices for the primary worker pool while skipping read-only filesystems to maximize speed. To further bypass detection and increase speed on large files, it employs “sampled encryption,” which encrypts only deterministic segments of a file based on its size.
In a curious twist, the Linux build includes a “watchdog” model and a “premium” statistics module that requires a password to access. To see these features, a user must enter a password that is hashed and compared against specific strings like “pay2key” or “p2k”. While this may seem like a novelty, it underscores the developer’s focus on creating a refined, almost productized, malicious tool.
The sophistication of this variant serves as a stark reminder that Linux is no longer a safe haven. Because these tools target the servers organizations depend on most, the time to react is nearly non-existent.
As the Morphisec report concludes:
“Once an encryptor with root-level access begins traversing the filesystem, response time collapses and the window to prevent irreversible damage closes fast.”
To stay ahead of such threats, security teams must move beyond simple behavioral detection and toward prevention-first controls that stop execution paths before encryption can even begin.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
