Attacks by SafePay have been characterised by technical sophistication.
More than 200 organisations around the world have already been compromised by the SafePay ransomware group,
According to GBHackers News, attacks by SafePay have been characterised by technical sophistication, with the group exploiting RDP and VPN connections to breach networks and using exfiltrated credentials to circumvent endpoint protection systems before ensuring further stealth via shadow copy and log deletion, according to an analysis from the Acronis Threat Research Unit.
SafePay later utilises the open-source ShareFinder.ps1 script for network share discovery and data exfiltration.
Aside from encrypting stolen data via XOR-based string decryption, dynamic library loading, and argument parsing, SafePay also alters Windows registry for persistence while removing backups and recovery options through commands, said researchers.
Such a threat posed by SafePay should prompt the implementation of more robust RDP and VPN security defences among organisations, researchers added.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
