| Category | Details |
|---|---|
| Threat Actors | SafePay Ransomware group; obscure cybercrime gang with limited discussion on illicit forums. |
| Campaign Overview | Observed in October 2024; involved deployment of SafePay ransomware with the encrypted file extension .safepay and ransom note readme_safepay.txt. |
| Target Regions/Victims | Affected multiple business verticals and geographies; 22 victims listed on the group’s leak site. |
| Methodology | - Access via Remote Desktop Protocol (RDP) - Data exfiltration using tools like WinRAR and FileZilla - Encryption executed through regsvr32.exe with flags for UAC bypass, self-delete, and network propagation. |
| Product Targeted | Windows-based systems, especially those running Microsoft Defender. |
| Malware Reference | Derived from Lockbit ransomware with Cyrillic language killswitch and string encryption using XOR loop. |
| Tools Used | - WinRAR for archiving - FileZilla for FTP - regsvr32.exe for ransomware execution - PowerShell scripts like ShareFinder.ps1. |
| Vulnerabilities Exploited | Windows Defender settings disabled via GUI; likely UAC bypass using COM Object (e.g., CMSTPLUA). |
| TTPs | - Defense evasion by disabling Defender - Data exfiltration before encryption - Privilege escalation using token impersonation and ZwSetThreadInformation. |
| Attribution | Analysts noted similarities to Lockbit, potentially indicating code reuse from leaked Lockbit samples. |
| Recommendations | - Monitor unusual Defender settings changes and privilege escalation activities - Use Sigma rules to detect Defender RTP changes and WinRAR misuse - Enhance RDP security protocols. |
| Source | Huntress Blog |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply