What is SafePay Ransomware? - Everything You Need to Know

What is SafePay Ransomware?

In Red Piranha's latest analysis conducted on November 21, 2024, SafePay ransomware was identified as a concerning new player in this space. This previously undocumented strain first surfaced in October 2024 and has since been observed targeting multiple business sectors and geographical locations like United Kingdom, United States, Australia, Italy, New Zealand, Canada, Argentina, Belgium, Barbados, Brazil, and Germany.

Our team documented two distinct deployment incidents of SafePay ransomware. These incidents revealed a campaign with potentially broad implications for organizations across various industries. Among its distinguishing characteristics, the ransomware encrypts files with the .safepay extension and leaves a ransom note named readme_safepay.txt. Notably, this variant has no prior public documentation, signalling its emergence as a novel and uncharted threat.

SafePay's tactics, techniques, and procedures (TTPs) warrant scrutiny, as they exemplify the adaptive strategies employed by modern ransomware operators. Understanding and mitigating such threats requires a proactive approach to threat intelligence, detection, and response.

 
Figure 1: Screenshot of Ransom Note used by SafePay Ransomware

As shown in Fig 1, the ransom note left by the SafePay ransomware is direct and coercive, emphasizing the severity of the attack and the consequences of non-compliance. It informs the victim that their files have been encrypted and are inaccessible without a unique decryption key, which can only be obtained by paying the demanded ransom.

The note includes instructions on how to contact the attackers, typically via an anonymous email address or messaging platform, and may provide a deadline to heighten urgency. Failure to comply within the specified timeframe often carries the threat of permanently losing the decryption key, rendering the victim's data unrecoverable. This message is crafted to instil fear and prompt quick payment, exploiting the victim’s dependency on their encrypted files.

What is the Kill Chain of SafePay Ransomware?

Fig 2: Screenshot of the Kill Chain of SafePay Ransomware

The SafePay ransomware kill chain begins with Execution tactics such as using PowerShell (T1059.001) and Windows Command Shell (T1059.003) to execute malicious scripts. It escalates privileges via Abuse of Elevation Control Mechanisms (T1548.002) and System Binary Proxy Execution (T1202), followed by Defence Evasion using file removal (T1070.004) and disabling tools (T1562.001).

The ransomware proceeds to Discovery with Network Share Discovery (T1135) and shifts to Collection by archiving data via utilities (T1560.001). For Exfiltration, it employs alternative protocols (T1048), and the Impact phase involves encrypting data for impact (T1486) and inhibiting system recovery (T1490), ensuring maximum disruption and extortion leverage.

What are the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) of SafePay Ransomware?

SafePay ransomware demonstrates a highly organized and multifaceted attack strategy, utilizing advanced tactics, techniques, and procedures to infiltrate systems, disrupt operations, and extort victims. The ransomware’s approach reflects careful planning and the adoption of sophisticated methods to ensure maximum impact.

Initial Access and Defence Evasion

The attack begins with the exploitation of exposed Remote Desktop Protocol (RDP) endpoints, a common entry point for ransomware campaigns, taking advantage of poorly secured or misconfigured RDP settings, allowing attackers to gain unauthorized access. This method is particularly effective due to the widespread use of RDP in enterprise environments.

Once access is achieved, the attackers leverage Living Off the Land Binaries (LOLBins), such as SystemSettingsAdminFlows.exe, to disable Windows Defender’s core security features. By executing a series of commands, the ransomware disables real-time protection, sample submission, and other defence mechanisms, effectively neutralizing built-in protections.

Following the successful disabling of security controls, SafePay deploys the malicious script ShareFinder.ps1, which is designed to scan the network for accessible shared resources, identify sensitive data, and map potential lateral movement paths. This reconnaissance phase helps the attackers identify high-value targets and prepare for data exfiltration or encryption. In addition to ShareFinder.ps1, other scripts, tools, or tactics may also be employed depending on the environment, such as PowerShell-based payloads or custom binaries, to deepen the attackers' foothold and maintain persistence within the compromised network.

Privilege Escalation

To escalate privileges, SafePay employs a UAC Bypass Privilege Escalation technique, a tactic commonly associated with advanced ransomware groups like LockBit. This involves exploiting the DllHost.exe process and abusing COM Object functionality (specifically CMSTPLUA) to execute malicious commands with elevated privileges.

While some activities involving COM Objects may be legitimate, indicators such as unsigned binaries, unusual parent-child process relationships, and the use of scripting interpreters suggest malicious intent. This approach ensures the attackers maintain control over the compromised system with minimal interference.

Process and Service Termination

SafePay further disrupts system operations by targeting critical processes and services. Using the ZwTerminateProcess function, the ransomware terminates processes essential for databases, backups, and productivity applications. Key targets include database services like sql, oracle, and dbsnmp; backup tools such as encsvc and xfssvccon; and productivity applications like excel, onenote, and outlook.

In addition to process termination, SafePay halts critical services by leveraging the ControlService function. It focuses on disabling system and backup services, such as vss and sqlsvc, as well as antivirus solutions like Sophos.

This dual-layer termination strategy ensures that protective mechanisms are neutralized, making recovery and defense efforts significantly more challenging. By disrupting both processes and services, SafePay maximizes its impact on the target environment.

Data Exfiltration

As part of its operation, SafePay incorporates a data exfiltration phase to enhance its extortion capabilities. The attackers first archive sensitive files using WinRAR.exe, applying specific parameters to streamline the process by excluding non-critical file types such as .JPEG, .mov, and .exe. This selective approach ensures the focus remains on valuable data.

Following the archiving phase, the attackers transfer the collected data to remote servers using FileZilla. The transient installation and subsequent removal of FileZilla reduce the forensic evidence left behind, making detection and investigation more difficult. This meticulous approach to data exfiltration demonstrates the attackers’ focus on avoiding detection while maximizing the value of stolen information.

Encryption

Once the exfiltration process is complete, SafePay encrypts the victim’s files, appending a distinctive .safepay extension. This renders critical files inaccessible, effectively pressuring the victim to comply with ransom demands. Accompanying the encryption process is the deployment of a ransom note, readme_safepay.txt, which is placed in directories containing encrypted files. The note provides instructions for ransom payment and directs victims to contact the attackers through Tor-based (.onion) services, ensuring the anonymity of the threat actors.

Indicators of Compromise (IOCs)

SafePay ransomware can be identified through specific Indicators of Compromise (IOCs) that highlight its presence and activity within a system. These include:

• Hash: SHA256: a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526
• Command and Control (C2) Servers:
  • 45.91.201.247
  • 77.37.49.40
  • 80.78.28.63
• Domains:
  • Tor Onion Services:
    • iieavvi4wtiuijas3zw4w54a5n2srnccm2fcb3jcrvbb7ap5tfphw6ad.onion
    • qkzxzeabulbbaevqkoy2ew4nukakbi4etnnkcyo3avhwu7ih7cql4gyd.onion

SafePay ransomware exemplifies the capabilities of modern ransomware campaigns, leveraging TTPs designed to infiltrate, disrupt, and extort effectively. By combining sophisticated entry methods, strategic defence disruption, and data exfiltration with encryption, it poses a significant threat to organizations. Its detailed IOCs and advanced techniques demand proactive detection and robust defensive strategies to mitigate its impact.

How does Red Piranha Detect and Prevent attacks of SafePay Ransomware?

Red Piranha’s Threat Detection, Investigation, and Response (TDIR) solution, particularly the Crystal Eye solution, is uniquely equipped to detect and prevent SafePay ransomware’s Tactics, Techniques, and Procedures (TTPs) through a combination of advanced monitoring, integrated threat intelligence, and proactive defence strategies. Below is an analysis of how Crystal Eye’s capabilities can detect and prevent SafePay ransomware’s attack stages and techniques:

1. Detection and Response Capabilities

Crystal Eye’s best-in-class detection and response capabilities enable real-time monitoring and analysis of malicious activities, such as the exploitation of Remote Desktop Protocol (RDP) endpoints—a primary access vector for SafePay ransomware. By leveraging its Advanced Heuristics and Machine Learning (ML) anomaly detection, the platform can identify and flag unusual login attempts or configurations, ensuring early detection of unauthorized access.

2. 24x7 Monitoring and Threat Visibility

The platform offers 24x7 security monitoring across endpoints, networks, and cloud environments, ensuring instant visibility into the entire attack surface. With 10x increased visibility, Crystal Eye detects, Living Off the Land Binaries (LOLBins) and other defence evasion tactics used by SafePay, such as disabling Windows Defender using system binaries.

The platform continuously tracks suspicious activities, such as the execution of malicious scripts like ShareFinder.ps1, and provides actionable alerts to stop threats before they escalate. Crystal Eye’s multi-layered defence approach combines Network Detection and Response (NDR), machine learning-driven anomaly detection, and Zero Trust architecture to counter SafePay ransomware’s tactics effectively.

3. Proactive Threat Hunting and Anomaly Detection

Crystal Eye’s on-demand threat hunting proactively identifies early indicators of compromise (IOCs), such as attempts to disable antivirus defences or escalate privileges using User Account Control (UAC) bypass methods. By correlating telemetry data from across the network, endpoints, and cloud, the platform uncovers sophisticated threats and provides insights into potential lateral movement and persistence tactics.

4. Integrated Cyber Threat Intelligence (CTI)

Crystal Eye’s fully operationalized and contextualized threat intelligence enhances its ability to detect SafePay ransomware. CTI provides up-to-date, automated, actionable intelligence about known malware families, Command and Control (C2) infrastructure, and threat actors, including the domains and IPs associated with SafePay’s operations. This contextual intelligence ensures that emerging threats like SafePay are detected and mitigated promptly.

5. Process and Service Termination Detection

To counter SafePay’s process and service termination techniques, Crystal Eye includes Integrated PCAP Analysis and East-West Traffic Control, which provide detailed visibility into internal network activity. These capabilities identify anomalies in process behavior, such as the termination of database services (sql, oracle) or productivity tools (excel, outlook), and stop malicious attempts to disable protective services like vss.

6. Encryption and Data Exfiltration Prevention

The Advanced Network Detection and Response (NDR) capabilities of Crystal Eye detect and block exfiltration attempts by monitoring encrypted metadata and analyzing patterns associated with data archiving and transfer. Tools like WinRAR.exe and FileZilla used in SafePay’s exfiltration phase are flagged as suspicious, enabling swift intervention. Moreover, by monitoring for file changes and identifying unusual file extensions like .safepay, the platform alerts teams to potential ransomware encryption activities.

7. Automated Incident Response and SOAR

The platform employs True Security Orchestration, Automation, and Response (SOAR) capabilities, enabling security teams to respond rapidly to incidents. Automated playbooks help to analyse and block SafePay’s behavioural patterns, such as the use of COM Object abuse (DllHost.exe) for privilege escalation or the deployment of obfuscated binaries. This ensures minimal dwell time for attackers and reduces the likelihood of successful attacks.

8. Integrated Vulnerability Management

Crystal Eye’s Integrated Vulnerability Management (IVM) proactively addresses system weaknesses that could be exploited by SafePay, such as unpatched RDP vulnerabilities or outdated software configurations. By continuously assessing and mitigating vulnerabilities, the platform ensures compliance with regulatory standards and reduces the attack surface.

9. Comprehensive Forensics and Audit Capabilities

Forensic capabilities, including 18+ months of data retention and on-demand digital forensics, provide invaluable insights into SafePay’s activities post-incident. These features support detailed investigations into ransomware operations, such as analysing how LOLBins and scripts were executed or identifying the source of privilege escalation.

10. Partner Assurance and Trust

Finally, Crystal Eye provides partner assurance and trust, enabling organizations to rely on expert MDR services and human-machine teaming for incident response. This partnership ensures organizations remain resilient against sophisticated threats like SafePay ransomware, even without in-house security expertise.

Does detecting malicious activity pose a significant challenge for your organisation?

Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.

Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.