In the wild, the Pay2Key I2 variant was first seen in late August 2025 This article explores systems ransomware. . The malware shows that there is a complex shift toward highly configurable, scalable attacks that are made just for Linux systems.
The ransomware needs root-level permissions to start its attack cycle. According to Chris Hoyle of Morphisec, organizations need to move toward prevention-first controls like Automated Moving Target Defense, which adds unpredictability to the system architecture to stop execution paths before encryption takes hold. The Pay2 key uses the very fast ChaCha20 encryption algorithm. The malware makes a different encryption key for each file it works on.
This key is then stored in a hidden metadata block that is attached to the encrypted file.
After the encryption phase, the ransom note tells victims to go to a Clearnet portal, and it also gives them a link to an I2P network as a backup. Researchers couldn't find any signs of network command-and-control communication or data exfiltration routines; all attack statistics are kept on the local machine. Once an encryptor with root access starts to move around a Linux filesystem, the time that a security team has to respond almost instantly shrinks.
Hoyle, who helps businesses protect themselves against Pay2key, says that traditional defense mechanisms that rely on behavioral detection often go off too late to stop data loss that can't be fixed. The ransom note also tries to hide a big logical flaw in how the malware keeps its encryption keys.
According to Mor Memphisec's research, forensic analysis found a strange hardcoded string in the malware's code: "DontDecompileMePlease."
