Iranian Ransomware Is Coming for the United States

After a year of attacks on Israel, Iran’s hackers have another target.

By , a graduate student at Princeton University’s School of Public and International Affairs.
A person looks at a Google Earth map of the Middle East at an event at New York’s Whitney Museum of American Art.
A person looks at a Google Earth map of the Middle East at an event at New York’s Whitney Museum of American Art.
A person looks at a Google Earth map of the Middle East at an event at New York’s Whitney Museum of American Art on April 18, 2017. Timothy A. Clary/AFP via Getty Images

Hackers sponsored by the Iranian government were inside the networks of a U.S. children’s hospital earlier this year, poised to launch a ransomware attack at any moment. And that’s just the tip of the iceberg. On Nov. 17, the United States, Britain, and Australia issued a joint warning that Iranian actors have conducted ransomware attacks against U.S. targets and gained access to a wide range of critical infrastructure networks, including the children’s hospital, that would enable more attacks.

With much attention this year on Russian ransomware attacks against the United States, the Iranian threat may come as a surprise. Yet as Russian cybercriminal groups carried out ransomware attacks against a meat-processing company and a major U.S. oil pipeline, causing widespread gas shortages, Iranian ransomware groups were quietly emerging as a global force to be reckoned with elsewhere in the world.

Ransomware encrypts files on a victim’s computer. The perpetrator then demands ransom payments in exchange for decrypting the files and sometimes also threatens to leak the victim’s data. Ransomware is typically used by cybercriminals looking to make money off ransom payments—and thus is also a good way for governments to obfuscate their roles in cyberattacks. Attacks can be blamed on criminals, or governments can provide criminal groups with a safe haven to strike foreign targets that serve the government’s interests.

Hackers sponsored by the Iranian government were inside the networks of a U.S. children’s hospital earlier this year, poised to launch a ransomware attack at any moment. And that’s just the tip of the iceberg. On Nov. 17, the United States, Britain, and Australia issued a joint warning that Iranian actors have conducted ransomware attacks against U.S. targets and gained access to a wide range of critical infrastructure networks, including the children’s hospital, that would enable more attacks.

With much attention this year on Russian ransomware attacks against the United States, the Iranian threat may come as a surprise. Yet as Russian cybercriminal groups carried out ransomware attacks against a meat-processing company and a major U.S. oil pipeline, causing widespread gas shortages, Iranian ransomware groups were quietly emerging as a global force to be reckoned with elsewhere in the world.

Ransomware encrypts files on a victim’s computer. The perpetrator then demands ransom payments in exchange for decrypting the files and sometimes also threatens to leak the victim’s data. Ransomware is typically used by cybercriminals looking to make money off ransom payments—and thus is also a good way for governments to obfuscate their roles in cyberattacks. Attacks can be blamed on criminals, or governments can provide criminal groups with a safe haven to strike foreign targets that serve the government’s interests.

While Iranian ransomware may be relatively unfamiliar to Americans, it has been a part of everyday life in Israel for more than a year. Iranian actors have targeted almost every sector of Israel’s economy and society. From Tehran’s standpoint, ransomware has worked well against Israel, since it was not definitively attributed to the Iranian government for a long time. Iran’s successful use of ransomware against Israel has likely emboldened it to expand its focus to the United States. As the issue has become more pressing, the United States and Israel announced last month they would cooperate to combat ransomware—a first step in a broader expansion of U.S.-Israeli cybersecurity engagement.


In September 2020, an Israeli cybersecurity firm first detected Iranian ransomware activity against unspecified “prominent Israeli organizations.” Then, last December, Israeli companies came under a barrage of Iranian ransomware attacks from groups calling themselves Pay2Key and Black Shadow, which targeted an insurance firm and dozens of logistics companies as well as claimed to have attacked a defense contractor. Pay2Key (which appears to have rebranded itself as N3TW0RM) and Black Shadow attacks continued throughout 2021 against an Israeli finance company in March and several other companies, which hackers claim included H&M Israel, in May.

Over the past couple of months, a group called Moses Staff claimed to have conducted ransomware attacks as well as leaked data from targets like the Israeli Defense Ministry and several engineering companies. Among the leaked data were pictures of and sensitive correspondence from Israeli Defense Minister Benny Gantz as well as psychological and socioeconomic information on Israel Defense Forces soldiers. Since late October, Black Shadow has resurfaced with attacks against an LGBTQ+ dating app, a hospital, a web-hosting site, and two public transportation companies. The attackers leaked the records of 290,000 hospital patients and the information of thousands of the dating app’s users.

Israeli officials have linked Black Shadow to the Iranian government while Microsoft has attributed some of the attacks against Israel since 2020 to Iranian nation-state cyber actors, including those conducted by Pay2Key and N3TW0RM. An Israeli cybersecurity company attributed the initial ransomware activity in September 2020 to contractors for the Iranian military, though it is not known if those individuals acted as part of their military work or independently. Although the full extent of Tehran’s involvement remains unclear, the government appears to be connected to at least some of the operations.

Iran’s ransomware campaign appears to be on the brink of global expansion.

This cyber campaign against Israel is taking place amid an escalating shadow war between Iran and Israel. The conflict has also been marked by lethal airstrikes in Syria, the assassination of an Iranian nuclear scientist, vessels under attack at sea, explosions at nuclear sites, and drone attacks. This rising tension, punctuated by Israel’s announcement in October that it will train for airstrikes on Iran’s nuclear program as the latter’s breakout time shortens, is ripe for intensification. A tit-for-tat cyber conflict could further escalate within cyberspace or provoke a response from either side in another military domain. Either scenario would threaten the nuclear talks that resumed last month.

Now, Iran’s ransomware campaign appears to be on the brink of global expansion. Between March and October, Iranian government-sponsored actors gained access to U.S. health care, public health, and transportation networks, according to the recent warning by the United States, Britain, and Australia. (The warning did not explicitly state whether the government-sponsored actors are conducting these operations at Tehran’s behest or whether their government sponsorship is independent of these specific operations.)

Among those targets were a U.S. hospital specializing in children’s health care and a municipal government. At some point in this time frame, the actors launched ransomware attacks on some of these networks. Australia has identified similar activity by the same actors against its networks.

The scale and scope of Iranian ransomware attacks deployed against Israel does not bode well for the United States. Largely due to Iranian hackers, Israel is possibly facing the highest number of ransomware attacks in the world. Among 140 countries covered in a Google-commissioned report released in October, Israel suffered the most ransomware attacks by far, with an almost 600 percent increase since 2020. According to Microsoft, Israel is experiencing a new wave of Iranian ransomware attacks on an average of every six to eight weeks. If Iran expands its attacks to the United States or other countries, they could face a similar fate.

It is not only the frequency of Iranian attacks that should raise concern, but also that they could cause a serious disruption to U.S. society. From 2015 to 2018, two individuals based in Iran but unaffiliated with the government carried out ransomware attacks against the city of Atlanta and more than 200 other civilian targets primarily in the United States, costing more than $30 million. Those attacks—which were the last known instance of Iranian ransomware operations against the United States until this year—show what Iranian cyber actors are capable of when they target the kinds of local U.S. networks they have now infiltrated more widely. Indeed, local and municipal government networks are some of the least secure in the country due to lack of investment.

That Iranian government-sponsored actors chose to deploy ransomware attacks against the United States during what seems like Tehran’s best chance at a nuclear deal in years may seem surprising, especially since this activity comes after a seven-year lull in Iranian government cyberattacks against the United States. (Iran’s U.S.-focused cyberattacks started shortly after it accused the United States and Israel in 2011 of being behind a cyberattack against Iranian nuclear infrastructure.) The last Iranian government cyberattack on the United States prior to 2021 occurred in 2014, when Tehran targeted Sands Casino in Las Vegas, Nevada, after its owner, Sheldon Adelson, suggested the United States conduct a nuclear attack on Iran. Cyber operations stopped after that, coinciding with the nuclear deal’s signing.

When the Trump administration backed out of the deal in 2018 and subsequently initiated its maximum pressure campaign, Iran could have resumed its cyberactivity against the United States. It no longer had the same incentive to exercise restraint—especially in the wake of the U.S. airstrike that killed Iranian military commander Qasem Soleimani in January 2020. Indeed, just after Soleimani’s death, the U.S. Department of Homeland Security issued a warning on the prospects for an Iranian cyberattack. That cyberattack never came.

Iran could be more willing to target the United States now that it has developed a ransomware capability that gives it increased deniability due to ransomware’s traditional use as a cybercrime tactic. It’s unclear whether Tehran is directing the operations or just providing a safe haven, but regardless of the extent of its direct involvement, Tehran may view the ransomware attacks as an avenue to obtain leverage against the United States during nuclear talks. States often seek to use cyberattacks to coerce other states to change their behavior, as Russia might have sought to do when targeting Ukraine’s power grid in 2015 and 2016, for instance. However, these attacks are generally not effective at coercion since they are covert and, therefore, hard to use to send a clear message.

Nevertheless, Iran may hope the ransomware attacks weaken the United States by undermining its domestic stability through disrupting civilian services and imposing economic costs associated with ransom payments and recovery.


The most pressing action the United States can take to stem these attacks is to engage with Israel. The U.S. Treasury Department took the first step in doing so on Nov. 14, when U.S. Deputy Treasury Secretary Wally Adeyemo traveled to Israel to establish a U.S.-Israeli task force on fintech and cybersecurity, which will place significant emphasis on combatting ransomware attacks. The task force will facilitate technical exchanges and information sharing among other measures. The Treasury Department is currently drafting a memorandum of understanding with Israel as the first stage of the newly announced task force. It should prioritize intelligence sharing with Israel to better understand the Iranian ransomware actors, their tactics, and their global operations.

The United States should also encourage Israel to make public any Iranian government ties it finds to future ransomware attacks, which Israel hasn’t done in the past. Such attribution would send a message to Iran—as well as Russia and China—that the international community can identify government support of ransomware. This may make those countries question their future use of cybercrime tactics to cover up government cyber operations.

In May 2020, shortly before the Iranian ransomware attacks commenced, Yigal Unna, director-general of Israel’s National Cyber Directorate, declared a “cyber winter is coming.” Israel is now deep into this winter, and the United States should take steps to stop its spread.

Jennifer Shore is a graduate student at Princeton University’s School of Public and International
Affairs. She was previously a fellow at the White House National Economic Council during the
Obama administration.

Join the Conversation

Commenting on this and other recent articles is just one benefit of a Foreign Policy subscription.

Already a subscriber? .

Join the Conversation

Join the conversation on this and other recent Foreign Policy articles when you subscribe now.

Not your account?

Join the Conversation

Please follow our comment guidelines, stay on topic, and be civil, courteous, and respectful of others’ beliefs. Comments are closed automatically seven days after articles are published.

You are commenting as .

More from Foreign Policy

Soldiers of the P18 Gotland Regiment of the Swedish Army camouflage an armoured vehicle during a field exercise near Visby on the Swedish island of Gotland on May 17.
Soldiers of the P18 Gotland Regiment of the Swedish Army camouflage an armoured vehicle during a field exercise near Visby on the Swedish island of Gotland on May 17.

What Are Sweden and Finland Thinking?

European leaders have reassessed Russia’s intentions and are balancing against the threat that Putin poses to the territorial status quo. 

Ukrainian infantry take part in a training exercise with tanks near Dnipropetrovsk oblast, Ukraine, less than 50 miles from the front lines, on May 9.
Ukrainian infantry take part in a training exercise with tanks near Dnipropetrovsk oblast, Ukraine, less than 50 miles from the front lines, on May 9.

The Window To Expel Russia From Ukraine Is Now

Russia is digging in across the southeast.

U.S. President Joe Biden and Secretary of State Antony Blinken participate in a virtual summit with the leaders of Quadrilateral Security Dialogue countries at the White House in Washington on March 12.
U.S. President Joe Biden and Secretary of State Antony Blinken participate in a virtual summit with the leaders of Quadrilateral Security Dialogue countries at the White House in Washington on March 12.

Why China Is Paranoid About the Quad

Beijing has long lived with U.S. alliances in Asia, but a realigned India would change the game.

Members of the National Defence Training Association of Finland attend a training.
Members of the National Defence Training Association of Finland attend a training.

Finns Show Up for Conscription. Russians Dodge It.

Two seemingly similar systems produce very different militaries.