Iranian hackers are behind Pay2Key, which has made a Linux version that is actively going after servers, virtualization hosts, and cloud workloads in organizations This article explores worry linux ransomware. . The first time the malware was found in the wild was in late August 2025.
Researchers at Morphisec found the malware sample and said that Pay2Key.I2, the Linux version, is configuration-driven and needs root-level access to run. This means that the ransomware has the most access to the system, which gives it full control over the file system and the most important functions of the operating system. This ransomware has a big effect on businesses that use Linux-based systems. Servers that store databases, run application backends, and run virtual machines are the most likely to be attacked.
Cloud workloads, which many businesses now rely on to keep running smoothly all the time, are also at risk.
The bigger worry is that Linux ransomware is still one of the least studied types of threats in public security research. Security teams that manage Linux-based infrastructure should make sure that root-level access is tightly controlled and keep track of which accounts have extra privileges. Turning off the ability for non-administrative users to create unnecessary cron jobs can lower the chance that persistence mechanisms will take hold.
Companies should also keep an eye out for any unexpected turning off of SELinux or AppArmor, as this is a strong sign that ransomware is running. One of the best ways to get your data back without paying a ransom is to keep offline backups of it that can't be changed. For more information on how to keep your computer safe from cyber threats and to get the latest security updates from ZeroOwl and other sources, click here.
You can get private help by calling the Samaritans at 08457 90 90 90, going to a local branch, or visiting www.samaritans.org. Click here for more information. If you need help in the U.S., call the National Suicide Prevention Lifeline at 1-800-273-8255.
