Summary:
Surefire Cyber has identified SafePay as a rising ransomware operator, demonstrating advanced capabilities in infiltrating networks and encrypting data. The group is known for targeting organizations across multiple industries and operates with remarkable speed and stealth. Notably, SafePay combines encryption with the theft of sensitive data, employing a double extortion tactic to pressure victims into paying the ransom. Their swift actions—from initial access to ransomware deployment—take under 24 hours, highlighting the critical need for rapid threat detection and response.

Key Tactics:

• Initial Access: Primarily exploits weak VPN implementations through brute force attacks.
• Post-Compromise Activity: Uses widely available system administration and remote access tools.
• Lateral Movement: Leverages compromised admin credentials for network traversal.
• Deployment Method: Employs unique ransomware deployment techniques through registry modifications in domain controllers.
• To defend against SafePay’s attacks, organizations should implement robust VPN security measures, including multi-factor authentication (MFA), closely monitor for unauthorized access tools, and maintain strict privilege access management. Regular security audits and rapid detection systems are crucial to reduce the risk posed by such sophisticated attackers.

SafePay has claimed multiple victims via their leak site. While researchers continue to evaluate their full range of tactics, the group's ability to quickly compromise networks and deploy ransomware makes them a significant threat actor to monitor closely. As SafePay's operations evolve, businesses must remain vigilant and update their security strategies accordingly.

Analyst Comments:
New ransomware groups often emerge due to a combination of factors, including the growing sophistication of cybercrime tools, the profitability of ransomware attacks, and the increasing prevalence of vulnerabilities in modern IT infrastructures. As organizations adopt new technologies like cloud computing and hybrid work models, attackers find new opportunities to exploit weak points. The accessibility of ransomware-as-a-service also enables less-skilled threat actors to launch attacks, further fueling the rise of new groups. Cybersecurity measures may also lag behind, creating an environment ripe for exploitation.

At the IT-ISAC, we track ransomware attacks and recently discovered that a new group successfully targeted the following companies within just one day on November 19. Some of the companies hit in the attacks appear to be in the technology and IT services industry:

1. Westwood
2. Kingswood Park CA
3. Inco Commercial
4. CC Senior Services
5. Business Training BE
6. Miller Service Company
7. Smart Dimensions
8. Safexus
9. ThreadFX Inc / Blue Dog Merch
10. Stats Gov BB
11. Triton Sourcing NZ
12. PI Burners
13. McAuslan
14. Euromedix
15. IB Spieth DE
16. Onnicar IT
17. Active-Cosmetic
18. Omint
19. Gilazo
20. Richmond Hill Primary Academy
21. Pronatec
22. Omara

Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.huntress.com/blog/its-not-safe-to-pay-safepay

https://www.surefirecyber.com/emerging-threat-analysis-profiling-a-new-ransomware-group-safepay/