A new cybercrime operation called SafePay has emerged, claiming 22 victims while utilizing LockBit-based ransomware, according to a recent report by cybersecurity firm Huntress.
The group first came to attention when Huntress detected two attacks targeting their customers in October 2024. Researchers were able to investigate SafePay's operations due to security flaws in both their website and ransomware code.
SafePay directs victims to websites on both the Tor network and "The Open Network" (TON), a decentralized internet platform developed using Telegram technology. As of mid-November 2024, their Tor site listed 22 victim organizations.
The investigation revealed that SafePay's ransomware is based on a LockBit variant from late 2022. The group successfully breached target systems through Remote Desktop Protocol (RDP) access, encrypting files and extracting data before detection.
The attackers showed patterns similar to other ransomware groups like INC Ransomware and ALPHV/BlackCat. Their methods included disabling Windows Defender, using network reconnaissance tools, and employing WinRAR and FileZilla for data theft.
In a detailed analysis of one attack, researchers observed the threat actors:
- Bypassing Windows security controls
- Running reconnaissance scripts
- Archiving files for extraction
- Installing and removing file transfer tools
- Executing encryption commands
- Disabling system recovery options
The group appears to avoid targeting organizations in Commonwealth of Independent States countries, using a Cyrillic-language check in their code - a common practice among ransomware operators from that region.
Security teams can detect SafePay activity by monitoring for:
- Unusual changes to Windows Defender settings
- Specific WinRAR command patterns
- Known privilege escalation techniques
- Suspicious Remote Desktop connections
The emergence of SafePay demonstrates how newer cybercrime groups continue to build upon existing ransomware tools while developing their own tactics and infrastructure.