Iran-Linked Pay2Key Ransomware Group Re-Emerges
A joint report from Halcyon and Beazley Security has documented the return of Pay2Key — an Iranian-linked ransomware operation that has been intermittently active since 2020 and has historically targeted victims aligned with Iranian geopolitical interests — with a fresh attack on a U.S. healthcare provider that showcases an evolved set of tactics including TeamViewer-based interactive access, credential harvesting via Mimikatz, LaZagne, and ExtPassword, and network reconnaissance via Advanced IP Scanner and NetScan. The researchers note that recent U.S.-Iran tensions appear to have directly accelerated Pay2Key’s activity, consistent with the group’s documented pattern of intensifying operations during periods of geopolitical friction — but the picture is complicated by the group’s attempted sale of its entire RaaS platform in late 2025 and ties to Russian-speaking threat actors on criminal forums, raising unresolved questions about whether current operations reflect Iranian state direction, new criminal ownership, or some combination of both. Most concerning for defenders: the report notes Pay2Key does not always prioritize extortion or financial gain over environmental destruction, meaning victim organizations may face wiper-style outcomes rather than the straightforward data-for-payment dynamic of conventional ransomware — making rapid eviction and offline backups critical even when no ransom demand materializes.
Ransomware Attack Disrupts Operation at Major Spanish Fishing Port
A ransomware attack detected early Tuesday morning forced Spain’s Port of Vigo — Europe’s largest fishing port by volume and one of the continent’s most important seafood hubs, handling more than 90,000 tonnes of fresh fish annually — to disconnect parts of its network and revert entirely to manual management of cargo traffic and other digital port services while its technology team isolated affected servers. Port president Carlos Botana told local media that systems would not be reconnected until security teams could provide absolute guarantees against further compromise, with no estimated timeline for restoration given — a posture consistent with lessons learned from previous port ransomware incidents, where organizations that reconnected prematurely before fully evicting attackers suffered repeat infections. No ransomware group has yet publicly claimed the attack, and Spanish authorities and the National Cryptologic Center (CCN) have been notified; the incident follows a series of ransomware attacks against Spanish public and private sector entities in early 2026 and underscores that maritime and port infrastructure remains a high-value, often under-protected target with significant economic disruption potential.
Tycoon2FA Phishing Platform Returns After Recent Police Disruption
CrowdStrike research confirms that Tycoon2FA — the MFA-bypassing phishing-as-a-service platform targeting Microsoft 365 and Gmail that Europol disrupted on March 4 with the seizure of 330 domains — has already returned to pre-disruption campaign activity levels, with daily volumes that briefly collapsed to 25% of normal following the takedown rebounding fully within weeks as operators spun up new phishing domains and IP addresses almost immediately after the seizure. CrowdStrike noted that some of the original infrastructure never went fully offline, indicating the disruption was incomplete, and that post-compromise activity observed in the recovery period included inbox rule creation, hidden folder staging for business email compromise fraud preparation, and credential harvesting — suggesting the platform’s customer base resumed operations with minimal interruption. The swift recovery reinforces a pattern security researchers have documented repeatedly: infrastructure-only takedowns without arrests produce only temporary disruptions, because the business model, the operators, and the demand from criminal customers all remain intact — and Europol’s own operation acknowledged that no arrests were made, leaving the core threat actor group free to rebuild.
UK Cyber Chief Urges ‘Full Court Press’ to Counter Rising Cyber Threats
NCSC CEO Richard Horne, speaking at RSAC 2026 in San Francisco on Tuesday, delivered one of the conference’s most direct calls to action — urging the global cybersecurity community to mount a “full court press” in response to a threat environment he described as more dangerous, more complex, and more consequential than at any previous point in the UK’s cybersecurity history, citing the convergence of aggressive state-sponsored campaigns, the weaponization of AI by adversaries, ransomware’s continued impact on critical services, and the exploitation of critical infrastructure as interconnected challenges that no single nation can address alone. Horne was candid about the UK’s own position, acknowledging that the NCSC has “not been able to keep pace” with the scale of threats facing British organizations and that the gap between defender capability and attacker capability is widening rather than narrowing — remarks that carry particular weight coming from the head of one of the world’s most respected national cyber agencies. His comments align closely with the NCA’s National Strategic Assessment released last week, which similarly called for structural transformation in how the UK organizes its law enforcement and intelligence response to cyber threats, and collectively suggest that British security leadership is entering a period of unusual public candor about the limitations of current defensive postures.
NCA Warns UK Construction Firms About Surging Invoice Fraud
The UK National Crime Agency has partnered with the National Federation of Builders to launch a targeted awareness campaign warning the construction sector that invoice fraud cost victims nearly £4 million in September 2025 alone across 83 reported cases — with construction and manufacturing together accounting for more than a quarter of all invoice fraud in 2024/25, more than any other industry sector. The NCA attributes construction’s disproportionate exposure to the sector’s structural complexity: a typical major construction project involves dozens of contractors, subcontractors, consultants, and suppliers with overlapping payment relationships, creating abundant opportunities for fraudsters to impersonate legitimate vendors, intercept email chains, or submit convincing fake invoices that accounts payable staff process without triggering unusual scrutiny. The campaign encourages a “Check, Verify, Never” approach — check for any changes to invoice details or payment urgency pressure, independently verify changes by calling a supplier on a previously confirmed number rather than one provided in a suspicious email, and never transfer funds until fully satisfied — a practical framework that applies equally to any organization in any sector dealing with complex supplier networks.
The post InfoSec News Nuggets 03/26/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
