Mar 24, 2026 - Technology

Iran-linked hackers target second U.S. medical institution, researchers say

Sam Sabin

Illustration of a photocopied image of a keyboard with elements of the Iranian flag. — Illustration: Aïda Amer/Axios

Iranian government-linked hackers hit a U.S. medical institution with ransomware in late February, right around when the war in Iran began, according to research released Tuesday.

Why it matters: This is the second known attack on an American health care organization since tensions between the U.S., Israel and Iran began this year.

Zoom in: Pay2Key, a ransomware gang that's been operating since 2020, appears to have used a compromised administrator's account to gain access to the organization.

Once inside, the hackers waited several days before deploying malware, which took only three hours to deploy and encrypt the files on the environment.
Incident responders at Beazley Security responded to the attack in late February and called in researchers at Halcyon to help study the malware.

Yes, but: No data was actually exfiltrated during this attack and the gang didn't make a ransom demand, according to the report.

The big picture: The Iranian government is known to use its own cyber capabilities, including those belonging to unofficial proxy groups, as a means to retaliate to kinetic warfare.

Driving the news: Last week, the FBI accused Iranian intelligence of running a pro-Iran hacktivist group that targeted U.S. medical device company Stryker.

The FBI also warned on Friday that Iran-linked hackers were using Telegram to push malware against dissidents, journalists and other opposition groups.

What to watch: President Trump and Iranian leaders have continued to threaten attacks on each other's infrastructure amid reports of potential peace talks.

Add Axios on Google

Iran-linked hackers target second U.S. medical institution, researchers say

What to read next