Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
The sudden resemblance to LockBit reveals the secret connections of the ransomware groups.
In October 2024, Huntress analysts recorded two incidents related to the spread of the new SafePay ransomware virus. A special feature was the use of the unique '.safepay' extension and an extortionist file named «readme_safepay.txt.' Prior to this, there have been no cases of such software.
On the darknet, SafePay actively uses TOR onion routing, and also uses the decentralized TON messenger for communication. The attackers' leak site contains lists of 22 victims with the ability to download stolen data, raising questions about the security of their corporate networks.
In the first incident, hackers infiltrated through RDP, disabling Windows Defender protection. They used the WinRAR utility to archive the files and presumably uploaded them using the FileZilla FTP program. It all ended with the encryption of files on network resources, accompanied by the deletion of shadow copies and the disabling of system recovery.
In the second case considered, the attackers also used RDP, but bypassed the protection in a different way. The antivirus detected the encryption process, but could not stop it. As in the first case, a threatening text message demanding a ransom is left as a result.
Analysis of the malicious code revealed similarities between the SafePay software and Lockbit. In particular, the software checks if it is not used in Eastern European countries and actively bypasses antivirus protections. Notably, its file encryption and flow management are organized for efficiency and stealth.
The Huntress research team notes that SafePay uses proven tools such as PowerShell scripts to find network resources and WinRAR to archive data. This indicates the high level of experience of attackers, as well as the need to strengthen companies' cyber defenses, especially when using RDP.
Source
In October 2024, Huntress analysts recorded two incidents related to the spread of the new SafePay ransomware virus. A special feature was the use of the unique '.safepay' extension and an extortionist file named «readme_safepay.txt.' Prior to this, there have been no cases of such software.
On the darknet, SafePay actively uses TOR onion routing, and also uses the decentralized TON messenger for communication. The attackers' leak site contains lists of 22 victims with the ability to download stolen data, raising questions about the security of their corporate networks.
In the first incident, hackers infiltrated through RDP, disabling Windows Defender protection. They used the WinRAR utility to archive the files and presumably uploaded them using the FileZilla FTP program. It all ended with the encryption of files on network resources, accompanied by the deletion of shadow copies and the disabling of system recovery.
In the second case considered, the attackers also used RDP, but bypassed the protection in a different way. The antivirus detected the encryption process, but could not stop it. As in the first case, a threatening text message demanding a ransom is left as a result.
Analysis of the malicious code revealed similarities between the SafePay software and Lockbit. In particular, the software checks if it is not used in Eastern European countries and actively bypasses antivirus protections. Notably, its file encryption and flow management are organized for efficiency and stealth.
The Huntress research team notes that SafePay uses proven tools such as PowerShell scripts to find network resources and WinRAR to archive data. This indicates the high level of experience of attackers, as well as the need to strengthen companies' cyber defenses, especially when using RDP.
Source
