SafePay Ransomware Incidents Reported by Huntress Analysts
/ 4 min read
Quick take - In October 2024, Huntress analysts reported two notable incidents involving the previously undocumented SafePay ransomware, which encrypts files with the .safepay extension and employs various techniques for access and evasion, highlighting its emergence in the cybercrime landscape.
Fast Facts
- In October 2024, Huntress analysts reported the emergence of SafePay ransomware, a previously undocumented variant, affecting multiple customer infrastructures.
- The ransomware encrypts files with the .safepay extension and includes a ransom note named readme_safepay.txt, directing victims to a leak site listing 22 victims and stolen data.
- Attackers used Remote Desktop Protocol (RDP) to access systems, disabling Windows Defender and executing commands to archive files and encrypt data while deleting recovery options.
- The ransomware shares similarities with Lockbit samples and employs techniques to evade detection, including process termination and privilege escalation.
- Both incidents were traced back to a VPN gateway, utilizing valid credentials, with Sigma rules developed to detect suspicious activities related to Windows Defender settings.
Huntress Reports SafePay Ransomware Incidents
In October 2024, Huntress analysts reported two significant incidents involving the deployment of SafePay ransomware across various customer infrastructures. This particular variant of ransomware had not been previously documented in open reporting, making these incidents noteworthy in the evolving landscape of cybercrime.
Ransomware Details
The ransomware encrypts files with the extension .safepay, and the ransom note associated with the attacks is named readme_safepay.txt. The SafePay ransomware group, while considered less prominent compared to more notorious cybercrime organizations, has begun to attract attention due to these incidents.
The ransom note included links to a V3 onion site, which directs victims to the group’s leak site, as well as a “TON” site that claims to be a decentralized internet platform. The leak site lists 22 victims and offers the option to download text files that detail stolen data or to access the stolen data itself if available. Notably, the leak site’s download folder is vulnerable to directory indexing, and the status endpoint of the Apache server reveals additional server details.
Incident Analysis
In the first incident, the threat actor employed Remote Desktop Protocol (RDP) to gain access to the victim’s endpoint. Initial attempts to execute ShareFinder.ps1 were blocked by Windows Defender. However, the threat actor managed to disable Windows Defender through a series of commands. Approximately 40 minutes later, they archived files using WinRAR.exe across three different hosts. Shortly thereafter, FileZilla was installed and executed, although it was uninstalled quickly. This pattern of archiving files and uninstalling software continued the following day, suggesting potential data exfiltration.
On the second day, the attacker logged in again via RDP and executed commands to encrypt files using network shares. During this encryption process, commands to delete volume shadow copies and disable recovery options were also executed. The Huntress platform generated alerts in response to the ransomware deployment activities.
In the second incident, the deployment of the Huntress agent was limited, which affected visibility and detection. The threat actor successfully logged into the Administrator account and made multiple failed login attempts to a non-existent account. Unfortunately, the ransomware executable was not recovered during this incident, as it likely deployed from an endpoint that did not have the Huntress agent installed. While Windows Defender detected the ransomware process, it failed to prevent its execution.
Technical Insights
Further analysis of the ransomware binary indicated similarities to Lockbit samples from late 2022. The ransomware is executed via regsrv32.exe and accepts various flags to modify its functionality. Additionally, the malware checks for Eastern European language settings to avoid execution in those regions. The strings within the binary are obfuscated using a three-step XOR loop, and the malware attempts to terminate specific processes and services to evade detection.
Privilege escalation is achieved through enabling SeDebugPrivilege and token impersonation. This allows the malware to create multiple worker threads for encryption and network enumeration, thus improving its performance. The threat actor also disabled certain Windows Defender settings through the graphical user interface (GUI), which is unusual behavior for most users.
In response to these threats, Sigma rules have been developed to detect changes to Windows Defender settings and other suspicious activities. Both incidents were traced back to a VPN gateway, with the threat actor utilizing valid credentials for access. The ransom note informed victims that important data had been stolen and provided contact instructions for the threat actor. Indicators of Compromise (IOCs) identified in these incidents included the use of known credentials, RDP access, and specific techniques that align with the MITRE ATT&CK framework.
Original Source: Read the Full Article Here
