Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0556: Pay2Key

Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[1][2]

EnterpriseS0556MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Pay2Key matters because it represents ransomware behavior tied in ATT&CK to Windows systems, data encryption for impact, service disruption, discovery, command-and-control, and file deletion. For business leaders, the key issue is not only encryption downtime: the official description also notes use of a leak site to pressure victims with stolen sensitive information, making this both an availability and data-exposure response problem.

Executive priority

Prioritize Pay2Key as a ransomware resilience and incident decision-making scenario. Leaders should ask whether the organization can prove recoverability, preserve evidence after file deletion, detect service-stopping behavior, and make rapid legal, communications, and executive decisions if encryption is paired with threatened data exposure. Because ATT&CK provides no official detection text for this object, coverage should be validated rather than assumed.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around the related behaviors: Windows host execution with system and network discovery, deletion of artifacts, internal proxy or non-application-layer command-and-control patterns, asymmetric cryptography used to conceal communications, service stops, and large-scale file encryption. Hunt and response plans should connect endpoint, network, service-control, and file-system evidence so analysts can distinguish routine administration from coordinated ransomware staging and impact activity.

Likely telemetry

  • Windows endpoint process, service, file, and command execution telemetry
  • File-system activity showing rapid modification, encryption-like behavior, or deletion of artifacts
  • Service control events showing stopping or disabling of important services
  • Network flow, firewall, proxy, and IDS telemetry for unusual internal proxying or non-application-layer communications
  • Host discovery evidence related to system information and network configuration collection

Detection direction

  • Do not rely on a Pay2Key-specific signature alone; validate behavioral detections mapped to the related ATT&CK techniques.
  • Tune for sequences: discovery followed by suspicious network communications, service stops, file deletion, and high-volume file changes or encryption behavior.
  • Review false positives from legitimate administration, backup operations, software deployment, and maintenance windows, especially for service stops and discovery commands.
  • Confirm whether endpoint and network telemetry is retained long enough to investigate cleanup activity and pre-impact discovery.
  • Use the Fox Kitten relationship as threat-intelligence context, but avoid assuming attribution from Pay2Key-like behavior alone.

Mitigation priorities

  • Maintain tested, isolated, and recoverable backups for critical Windows systems and business data.
  • Restrict privileges that can stop critical services, access broad file shares, or modify recovery infrastructure.
  • Segment networks and control egress to reduce opportunities for internal proxying and unusual command-and-control paths.
  • Harden monitoring and retention for endpoint, service-control, file, and network telemetry so incident responders can reconstruct activity even after file deletion.
  • Prepare ransomware and data-leak response playbooks covering technical containment, executive escalation, legal review, communications, and evidence preservation.
Analyst notes and limits

ATT&CK identifies Pay2Key as C++ ransomware used by Fox Kitten since at least July 2020, including campaigns against Israeli companies, and notes incorporation with a leak site. The software object platform is Windows. The most useful defensive value comes from validating the related behaviors rather than treating the malware name as the primary detection opportunity.

The supplied ATT&CK object has no official detection guidance, no aliases, and no malware-level tactics specified. Some related techniques list broader platform metadata than the Pay2Key software object; this take therefore treats Windows as the supported software platform and uses related techniques only for behavioral validation direction. Local telemetry, asset criticality, and baseline administration patterns are required to assess real coverage.

Official MITRE ATT&CK definition

Pay2Key

Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1090.001 Internal Proxy Sub-technique

Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.CitationClearkSky Fox Kitten February 2020CitationCheck Point Pay2Key November 2020
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Pay2Key has used RSA encrypted communications with C2.CitationCheck Point Pay2Key November 2020
Enterprise T1489 Service Stop

Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.CitationCheck Point Pay2Key November 2020
Enterprise T1070.004 File Deletion Sub-technique

Pay2Key can remove its log file from disk.CitationCheck Point Pay2Key November 2020
Enterprise T1095 Non-Application Layer Protocol

Pay2Key has sent its public key to the C2 server over TCP.CitationCheck Point Pay2Key November 2020
Enterprise T1082 System Information Discovery

Pay2Key has the ability to gather the hostname of the victim machine.CitationCheck Point Pay2Key November 2020
Enterprise T1486 Data Encrypted for Impact

Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.CitationClearkSky Fox Kitten February 2020CitationCheck Point Pay2Key November 2020
Enterprise T1016 System Network Configuration Discovery

Pay2Key can identify the IP and MAC addresses of the compromised host.CitationCheck Point Pay2Key November 2020
Associated objects

Groups, software, and campaigns

Group Enterprise

G0117: Fox Kitten

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1090.001: Internal Proxy Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Group G0117: Fox Kitten Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
96ce830dc3cacae7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 96ce830dc3ca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ClearkSky Fox Kitten February 2020

    ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.

    Open source URL
  2. [2]
    Check Point Pay2Key November 2020

    Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.

    Open source URL
  3. [3]
    mitre-attack S0556
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use