The technical analysis reveals that SafePay employs classic yet highly effective tactics, including the disabling of endpoint protection systems, deletion of shadow copies, and systematic clearing of system logs to suppress detection and incident response capabilities. Following the archiving process, SafePay deploys FileZilla client software to exfiltrate the compressed archives to command-and-control servers, after which both WinRAR and FileZilla are systematically removed from the compromised systems to eliminate forensic evidence. The malware primarily targets managed service providers (MSPs) and small-to-midsize businesses (SMBs) across various industries, utilizing a combination of Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) intrusion techniques to penetrate organizational networks. The data collection process utilizes WinRAR with specific command-line parameters to archive sensitive files while excluding certain file types to optimize storage and transmission efficiency. This operational approach allows SafePay to maintain direct oversight of its infrastructure, victim negotiations, and attack execution, resulting in more coordinated and effective campaigns. SafePay appends the .safepay extension to encrypted files and requires a 32-byte password for full execution, implementing multiple safeguards against analysis and reverse engineering attempts. The group’s rapid ascension to prominence was highlighted by its involvement in the high-profile attack against Ingram Micro, a global distributor serving thousands of partners and MSPs, demonstrating the malware’s capability to disrupt critical supply chain infrastructure. SafePay implements a double extortion model, combining data exfiltration with file encryption to maximize pressure on victims. SafePay ransomware, which first appeared in 2024, has rapidly evolved from a relatively unknown entity to one of the most active ransomware groups globally, claiming over 200 victims worldwide in just the first quarter of 2025. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Acronis analysts identified significant similarities between SafePay and the infamous LockBit ransomware family, particularly the LockBit 3.0 builder whose source code was leaked in 2022. The archiving command systematically excludes multimedia files, executables, and other non-critical data formats, focusing instead on documents, databases, and configuration files that typically contain valuable business information. The malware’s technical sophistication is evident in its use of living-off-the-land binaries, which allows it to blend seamlessly with legitimate system processes and evade traditional signature-based detection methods. Once inside the target network, the malware executes a carefully orchestrated sequence of operations designed to maximize data collection while minimizing detection. This dual-layer encryption approach ensures that even if one component is compromised, the overall security of the encrypted data remains intact. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A new ransomware threat has emerged as one of the most formidable adversaries in the cybersecurity landscape, demonstrating unprecedented growth and sophistication in its attack methodology. The ransomware manifests as a PE32 DLL file with a deliberately falsified compilation timestamp, requiring specific execution parameters to function properly. The ransomware employs the ShareFinder.ps1 script, sourced from an open-source PowerView project, to enumerate all available network shares within the local domain. The ransomware’s encryption routine employs a robust combination of AES and RSA algorithms, generating unique 32-byte AES keys for each file before encrypting those keys with RSA public key cryptography. The ransomware group operates with a centralized control structure, distinguishing itself from the typical ransomware-as-a-service (RaaS) model employed by many contemporary threat actors. The malware’s persistence mechanisms and evasion techniques showcase a sophisticated understanding of enterprise security architectures and defensive measures.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 18:05:12 +0000