SafePay Ransomware: A New Threat with Sophisticated Techniques

### #Ransomware #CyberThreats #SafePay

Summary: Huntress analysts have identified a new ransomware strain named SafePay, which exhibits advanced techniques and shares similarities with the notorious LockBit ransomware. Its sophisticated deployment methods and unique characteristics pose a significant threat to organizations.

Threat Actor: SafePay Group | SafePay
Victim: Various Organizations | Various Organizations

Key Point :

  • SafePay uses the .safepay file extension and a ransom note named readme_safepay.txt.
  • The ransomware employs a two-phase attack model: data collection and exfiltration followed by encryption deployment.
  • Advanced capabilities include UAC bypass, anti-analysis features, and a language-based killswitch targeting non-Cyrillic systems.
  • SafePay’s operators maintain a presence on the Tor network and have a leak site for stolen data.
  • Its methods suggest the use of leaked LockBit source code, indicating a connection to established ransomware families.

In October 2024, Huntress analysts uncovered a previously unreported ransomware strain, dubbed SafePay, deployed across two distinct incidents. This ransomware has unique characteristics, including the use of .safepay as the encrypted file extension and a ransom note titled readme_safepay.txt. Despite its obscurity, SafePay’s methods and tactics hint at a seasoned operator leveraging advanced ransomware techniques.

SafePay emerged as a stealthy but sophisticated ransomware strain with ties to older, well-known ransomware families like LockBit. Huntress analysts note, “During our analysis of the ransomware binary, we began to notice a large number of similarities to the extensively analyzed LockBit samples from the end of 2022.” The similarities suggest the possibility that SafePay’s developers used leaked LockBit source code to create their malware.

SafePay’s deployment typically follows a two-phase attack model:

  1. Data Collection and Exfiltration: In the first observed incident, the attackers leveraged WinRAR to archive data across multiple hosts before exfiltrating it using FileZilla. Huntress analysts commented, “This activity looks like potential data exfiltration from the networkcollected and archived with WinRAR and then possibly exfiltrated out using FTP.” The attackers even uninstalled these tools after each use, further concealing their tracks
  2. Encryption Deployment: Using Remote Desktop Protocol (RDP) access, the attackers executed ransomware scripts via PowerShell to target network shares. They employed commands such as disabling shadow copies (wmic shadowcopy delete) and tampering with boot configurations to thwart recovery efforts. Their ransom note begins ominously: “Greetings! Your corporate network was attacked by SafePay team,” and includes instructions for negotiating the return of stolen data.

SafePay exhibits a range of advanced capabilities to maximize its impact:

  • UAC Bypass and Privilege Escalation: The ransomware uses a COM object technique to bypass User Account Control (UAC) and escalate privileges. This method, seen in other ransomware families like BlackCat, allows attackers to execute malicious commands with elevated rights.
  • Anti-Analysis Features: SafePay employs string obfuscation and thread creation methods that evade traditional detection techniques. Huntress analysts identified “a custom implementation that provides better anti-analysis capabilities” for its encryption worker threads
  • Language-Based Killswitch: Before encrypting files, SafePay checks for Cyrillic system languages to avoid infecting machines in Eastern European countries, a common tactic among ransomware groups

The SafePay ransomware group maintains a presence on both the Tor network and The Open Network (TON), a decentralized internet platform. Their leak site lists victim organizations and provides downloadable files, either as a directory structure or the stolen data itself. Huntress analysts discovered that the site’s backend server was vulnerable, exposing its Apache server status endpoint, and providing valuable insights into the group’s operations.

While SafePay is relatively new to the ransomware scene, its sophisticated tactics and ties to LockBit suggest it poses a significant threat to organizations across industries. As Huntress analysts conclude, “The threat actor was able to use valid credentials to access customer endpoints, and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence.”

Related Posts:

Source: https://securityonline.info/safepay-ransomware-a-new-threat-with-sophisticated-techniques