The story of one ridiculous hack of the clinic.
In the January assembly of the extortion Pay2Key lurks an unpleasant surprise. Even when encryption works “by all the rules”, some of the data still remains in place, and sometimes quite large. The disassembled sample shows how the mechanism is arranged inside and why victims can return at least a part of the files.
In late February, Pay2Key attacked a medical organization in the United States. According to Halcyon and Beazley Security, the attackers entered the network through the stolen user data, almost a week did not show activity, then connected through TeamViewer and began to collect passwords using Mimikatz and LaZagne. After that, the archive was launched, which unpacked the encryptor. It took about three hours to complete the encryption.
The file itself from the attack on the clinic could not be found in open databases. But the earlier version of Pay2Key from January 9, 2026 was discovered. The sample differs from the February one, but uses the same set of tools and a similar delivery scheme. The ciprator is packed in a self-extended archive 7z and pulls auxiliary utilities inside, including a means of secure data deletion.
The program is built on the basis of the Mimic ransomware, which, in turn, grew out of the leaked Conti designer. To search for files, the Everything utility is used, and blocked processes are forcibly closed through Windows system mechanisms. Before encryption, the lumens completes dozens of services and processes, including databases, backup and system protection.
Cryptography is done carefully and without obvious errors. For each file, a unique 32-byte key is generated using a built-in Windows random number generator. The Chacha20 streaming algorithm is then used, and the keys themselves are protected through the exchange of Curve25519 keys. Without the private key of the attackers, it will not be possible to decrypt the data.
Interesting detail: All files use a zero single-use parameter, which usually should be random. In practice, the problem does not arise, because the key for each file is new. There is no repetition of the flow, so the vulnerability does not appear.
The decryption keys are stored locally in the session.tmp file in the C:\tepm directory. In the January version, lumens does not send this file to the server. If the file is deleted or damaged, recovery becomes impossible even for the attackers themselves. Therefore, when investigating, such a file must be saved in the first place.
The main feature is the partial encryption mode. For large files, the program encrypts only individual blocks, skipping the rest. As a result, from 70% to 87% of the contents can remain in the open form. For databases, virtual disks and backups, this is critical: a significant part of the information can be retrieved directly, even if the file structure is corrupted.
The size of the encrypted blocks is usually 1 MB, and the distance between them is calculated on the basis of the key. The template changes from file to file, but on average, most of the data does not touch. At the same time, the beginning and end of the file are still encrypted, so standard recovery tools often fail without additional processing.
In practice, partial recovery is possible. From the database files it is possible to extract tables, from the images of virtual machines - files inside the disk, from the archives - separate segments. It is impossible to fully return the data without a key, but the damage can be significantly reduced.
The January version of Pay2Key shows an important point. Even with strong cryptography, attackers are betting on speed, not on the complete destruction of the data. This approach speeds up the attack, but leaves a chance of recovery if you fix the traces and save service files in time.
In the January assembly of the extortion Pay2Key lurks an unpleasant surprise. Even when encryption works “by all the rules”, some of the data still remains in place, and sometimes quite large. The disassembled sample shows how the mechanism is arranged inside and why victims can return at least a part of the files.
In late February, Pay2Key attacked a medical organization in the United States. According to Halcyon and Beazley Security, the attackers entered the network through the stolen user data, almost a week did not show activity, then connected through TeamViewer and began to collect passwords using Mimikatz and LaZagne. After that, the archive was launched, which unpacked the encryptor. It took about three hours to complete the encryption.
The file itself from the attack on the clinic could not be found in open databases. But the earlier version of Pay2Key from January 9, 2026 was discovered. The sample differs from the February one, but uses the same set of tools and a similar delivery scheme. The ciprator is packed in a self-extended archive 7z and pulls auxiliary utilities inside, including a means of secure data deletion.
The program is built on the basis of the Mimic ransomware, which, in turn, grew out of the leaked Conti designer. To search for files, the Everything utility is used, and blocked processes are forcibly closed through Windows system mechanisms. Before encryption, the lumens completes dozens of services and processes, including databases, backup and system protection.
Cryptography is done carefully and without obvious errors. For each file, a unique 32-byte key is generated using a built-in Windows random number generator. The Chacha20 streaming algorithm is then used, and the keys themselves are protected through the exchange of Curve25519 keys. Without the private key of the attackers, it will not be possible to decrypt the data.
Interesting detail: All files use a zero single-use parameter, which usually should be random. In practice, the problem does not arise, because the key for each file is new. There is no repetition of the flow, so the vulnerability does not appear.
The decryption keys are stored locally in the session.tmp file in the C:\tepm directory. In the January version, lumens does not send this file to the server. If the file is deleted or damaged, recovery becomes impossible even for the attackers themselves. Therefore, when investigating, such a file must be saved in the first place.
The main feature is the partial encryption mode. For large files, the program encrypts only individual blocks, skipping the rest. As a result, from 70% to 87% of the contents can remain in the open form. For databases, virtual disks and backups, this is critical: a significant part of the information can be retrieved directly, even if the file structure is corrupted.
The size of the encrypted blocks is usually 1 MB, and the distance between them is calculated on the basis of the key. The template changes from file to file, but on average, most of the data does not touch. At the same time, the beginning and end of the file are still encrypted, so standard recovery tools often fail without additional processing.
In practice, partial recovery is possible. From the database files it is possible to extract tables, from the images of virtual machines - files inside the disk, from the archives - separate segments. It is impossible to fully return the data without a key, but the damage can be significantly reduced.
The January version of Pay2Key shows an important point. Even with strong cryptography, attackers are betting on speed, not on the complete destruction of the data. This approach speeds up the attack, but leaves a chance of recovery if you fix the traces and save service files in time.
