A ransomware group linked to the Iranian government targeted an unnamed U.S. healthcare organization in late February, deploying a fast-moving cyberattack that locked down systems within hours, according to findings from Beazley Security.

The firm said the attack was attributed to Pay2Key, a threat group tied to Iranian state interests that has operated since 2020 and has increasingly focused on Western organizations.

The attack is separate from one that hit Stryker, a Michigan-based medical technology company, about two weeks ago.

Beazley Security's incident response team found the attackers gained access through a compromised administrator account and remained in the system for several days before launching the ransomware.

Once deployed, the malware encrypted the organization's environment in roughly three hours, reflecting what analysts described as a more advanced version of the group's tools with improved evasion and anti-forensics capabilities.

Beazley said there was no evidence that data was exfiltrated during the intrusion, marking a departure from the double extortion tactics commonly used by ransomware groups.

Security researchers said Pay2Key activity has increased with rising tensions involving Iran, continuing a pattern of targeting U.S. and allied organizations in times of geopolitical strain.

Federal agencies have previously assessed the group as tied to Iranian state interests rather than traditional criminal operations.

This was at least the second known cyberattack on a U.S. healthcare organization linked to the group.

The activity comes as federal investigators have taken action tied to the cyberattack on Stryker.

In that case, investigators moved to seize online infrastructure used by a group claiming responsibility for the intrusion.

The cyberattack on Stryker disrupted internal systems across the company's global network, leaving employees temporarily unable to access internal platforms and prompting warnings not to use company devices during the disruption.

A group calling itself Handala claimed responsibility and framed the attack as retaliation against the U.S. for its attacks against Iran.

Stryker later moved into recovery operations, restoring systems while maintaining that its production of medical products was not affected.

• Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector
• Iran Threatens Global Attacks as Spring Break Kicks Off