| Category | Details |
|---|---|
| Threat Actors | SafePay Ransomware group; obscure cybercrime gang with limited discussion on illicit forums. |
| Campaign Overview | Observed in October 2024; involved deployment of SafePay ransomware with the encrypted file extension .safepay and ransom note readme_safepay.txt. |
| Target Regions/Victims | Affected multiple business verticals and geographies; 22 victims listed on the group’s leak site. |
| Methodology | – Access via Remote Desktop Protocol (RDP) – Data exfiltration using tools like WinRAR and FileZilla – Encryption executed through regsvr32.exe with flags for UAC bypass, self-delete, and network propagation. |
| Product Targeted | Windows-based systems, especially those running Microsoft Defender. |
| Malware Reference | Derived from Lockbit ransomware with Cyrillic language killswitch and string encryption using XOR loop. |
| Tools Used | – WinRAR for archiving – FileZilla for FTP – regsvr32.exe for ransomware execution – PowerShell scripts like ShareFinder.ps1. |
| Vulnerabilities Exploited | Windows Defender settings disabled via GUI; likely UAC bypass using COM Object (e.g., CMSTPLUA). |
| TTPs | – Defense evasion by disabling Defender – Data exfiltration before encryption – Privilege escalation using token impersonation and ZwSetThreadInformation. |
| Attribution | Analysts noted similarities to Lockbit, potentially indicating code reuse from leaked Lockbit samples. |
| Recommendations | – Monitor unusual Defender settings changes and privilege escalation activities – Use Sigma rules to detect Defender RTP changes and WinRAR misuse – Enhance RDP security protocols. |
| Source | Huntress Blog |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply