Recorded Future A.I CyberSecurity Scoring
Recorded Future
Company Information
Website:http://www.recordedfuture.com
Employees number:1,152
Number of followers:87,544
NAICS:541514
Industry Type:Computer and Network Security
Homepage:recordedfuture.com
Recorded Future Risk Score (AI oriented)
Between 650 and 699
Recorded FutureComputer and Network Security
Updated:
31/03/2026
31/03/2026
687/1000
Weak
B
Recorded Future Global Score (TPRM)
xxxx
Recorded FutureComputer and Network Security
Score locked

Recorded FutureWeak
Current Score
687B (WEAK)
01000
1 incidents
0 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
692
JUNE 2026
691
MAY 2026
690
APRIL 2026
688
MARCH 2026
687
FEBRUARY 2026
686
JANUARY 2026
684
DECEMBER 2025
681
NOVEMBER 2025
681
OCTOBER 2025
679
SEPTEMBER 2025
678
AUGUST 2025
676
AUGUST 2024
759
Ransomware
01 Aug 2024 • Recorded Future
ALPHV/BlackCat and Pay2Key: Iranian hackers target US critical infrastructure through ransomware proxies, KELA warns
Iranian State-Backed Threat Actors Blur Lines Between Cybercrime and Espionage
652
CRITICAL-107
RECKEL1774988711
Iranian State-Backed Threat Actors Blur Lines Between Cybercrime and Espionage
Recent intelligence from KELA reveals a troubling evolution in Iranian state-sponsored cyber operations, where nation-state actors increasingly collaborate with criminal ransomware groups to conduct financially motivated attacks under the guise of extortion. Rather than operating standalone ransomware cartels, these groups now embed themselves within the cybercriminal ecosystem acting as initial access brokers, partnering with ransomware affiliates, and deploying pseudo-ransomware to mask destructive campaigns as profit-driven attacks.
A prime example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized Ransomware-as-a-Service (RaaS) platform on the anonymous I2P network. The group now actively recruits affiliates from Russian cybercrime forums, offering an 80% profit share up from the typical 70% for attacks targeting U.S. and Israeli organizations. This model poses significant compliance risks: victims paying ransoms may unknowingly fund OFAC-sanctioned Iranian entities, exposing themselves to severe legal and financial penalties.
A joint advisory from the FBI, CISA, and DoD Cyber Crime Center in August 2024 highlighted groups like Pioneer Kitten (UNC757/Fox Kitten), which specialize in exploiting vulnerabilities in VPNs and firewalls to gain initial access. Instead of deploying their own ransomware, these actors hand off compromised networks to affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, taking a cut of ransom payments. This collaboration enables Iranian hackers to generate revenue while providing ransomware groups with streamlined access to high-value targets, including healthcare, education, and financial institutions in the U.S.
Pay2Key’s evolution underscores Iran’s use of ransomware as a geopolitical tool. Initially launched in 2020 by the Fox Kitten group to target Israeli organizations, the operation combined extortion with information warfare, leveraging data leaks to pressure adversaries. By 2025, it had rebranded as Pay2Key.I2P, adopting a more aggressive, scalable RaaS model that blends political objectives with criminal enterprise.
Beyond financial motives, Iranian actors have repeatedly used ransomware-style encryption as a cover for destruction. The Agrius APT group, for instance, repurposed the Apostle malware originally a data wiper into a ransomware variant, disguising sabotage as extortion. A similar tactic was observed in July 2022, when an Iranian state-sponsored actor deployed ROADSWEEP ransomware alongside a destructive wiper against Albanian government networks, framing the attack as a ransom operation despite its true intent being disruption.
Attribution challenges are further complicated by "moonlighting" where Iranian operatives use state-provided tools and access for personal financial gain. In April 2024, the U.S. DOJ and Treasury Department sanctioned individuals linked to Mahak Rayan Afraz, a front company for the IRGC’s Cyber-Electronic Command, after operatives were found running ransomware schemes alongside official state duties.
The convergence of state-sponsored cyber warfare and cybercrime creates serious legal and operational risks for organizations. Paying ransoms to seemingly independent groups may violate OFAC sanctions if those groups have undisclosed ties to Iran, leading to heavy penalties. The shift demands heightened vigilance, as traditional security measures such as patching and backups must now account for hybrid threats that blend espionage, sabotage, and financial crime.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Recorded Future ??
What was Recorded Future's A.I Rankiteo Cyber Score in June 2026 ??
What was Recorded Future's A.I Rankiteo Cyber Score in May 2026 ??
What was Recorded Future's A.I Rankiteo Cyber Score in April 2026 ??
What was Recorded Future's A.I Rankiteo Cyber Score in March 2026 ??
What was Recorded Future's A.I Rankiteo Cyber Score in February 2026 ??
What was Recorded Future's A.I Rankiteo Cyber Score in January 2026 ??
What was Recorded Future's A.I Rankiteo Cyber Score in December 2025 ??
What was Recorded Future's A.I Rankiteo Cyber Score in November 2025 ??
What was Recorded Future's A.I Rankiteo Cyber Score in October 2025 ??
What was Recorded Future's A.I Rankiteo Cyber Score in September 2025 ??
What was Recorded Future's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Recorded Future's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Recorded Future ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Recorded Future's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?