An emerging and little-known cybercrime operation that deploys LockBit-based ransomware has claimed 22 victims so far, according to a report by Huntress published last week.
Huntress discovered that an obscure operation known as SafePay was behind two incidents targeting its customers in October 2024. Huntress was able to investigate the group and reverse engineer its ransomware binary due to weakness in both the SafePay website and the threat actor’s binary obfuscation method.
SafePay’s ransom note directs victims to both a Tor leak site and a site on “The Open Network,” or TON, which describes itself as a “decentralized and open internet, created by the community using a technology designed by Telegram,” according to Huntress.
The Tor site, which listed 22 victims as of November 14, 2024, was found to contain vulnerabilities allowing the researchers to index the site’s download folder and gain further details about the backend server due to an exposed Apache server status endpoint.
In the two incidents observed by Huntress targeted companies in different industries and geographies. SafePay made access to the infected endpoint via the Remote Desktop Protocol (RDP) and managed to successfully encrypt and extract before being detected.
SafePay’s ransomware tactics borrowed from other groups
In investigating the incidents, Huntress noted that not only did SafePay appear to have based their ransomware binary on a well-analyzed version of LockBit from late 2022, but the group also used several topics common to other groups including INC Ransomware and ALPHV/BlackCat.
The binary itself was easily reverse engineered, with strings obfuscated using a simple three-step XOR loop that included a random single-byte key, the index of each character and the first byte of kernel132.dll, which is “M.”
In the first SafePay ransomware incident, the threat actor was prevented by Windows Defender from running the PowerShell script ShareFinder.ps1 for network reconnaissance, and subsequently disabled Windows Defender using a sequence of living-off-the-land binaries (LOLBins) identical to that used in an INC Ransomware attack observed by Huntress earlier this year.
The threat actor then successfully ran ShareFinder.ps1 and, 40 minutes later, began using WinRAR to archive files to prepare them for exfiltration. The attacker also installed FileZilla, possibly to facilitate transfer of the stolen files via the File Transfer Protocol (FTP). After both WinRAR and FileZilla were executed, they were uninstalled by the threat actor, who then repeated the cycle of installation, execution and uninstallation again the next day.
After this within 15 minutes of logging back in via RDP, the SafePay threat actor began executing commands to encrypt files on the network, disable recovery and delete shadow copies. Although these activities were detected by Huntress’ platform, it was too late to prevent the encryption of files, the researchers wrote.
SafePay was noted to use a well-known method of User Account Control (UAC) bypass privilege escalation that has also been used by LockBit and ALPHV/BlackCat, which can be leveraged as an indicator to detect SafePay and other ransomware activity.
The threat actor also used other tactics common among ransomware actors, including additional privilege escalation through token impersonation and enabling of SeDebugPrivilege, selected process and service termination via ZwTerminateaProcess and ControlService, respectively, and the use of a Cyrillic-language-based killswitch to prevent execution of the malware in the Commonwealth of Independent States.
How to detect SafePay ransomware
Huntress notes that, in addition to rules for the UAC bypass privilege escalation technique SafePay uses, defenders can use rules based on some of SafePay’s defense evasion and data collection activities to detect this threat actor.
Notably, the researchers discovered that the SafePay threat actor appeared to interactively manipulate the desktop to manually change certain Windows Defender Virus & Threat Protection settings, which would be unusual for the average user to do on their own. Therefore, manipulation of Windows Defender settings via the graphical user interface (GUI) could be used as an indicator to detect a potential threat.
SafePay’s use of WinRAR to archive data targeted for exfiltration can also be an indicator of malicious activity, due to the commands used being uncommon in a typical use of WinRAR by a legitimate user.
A full list of indicators of compromise and tactics, techniques and procedures (TTPs) for SafePay are included at the end of Huntress’ blog post, including the names of workstations used by the threat actors in each incident.
