SafePay_Ransomware

MITRE Techniques

• [T1078] Valid Accounts – SafePay gains initial access via credential exposure and brute-force password attacks (“SafePay typically establishes initial access to victim networks via credential exposure, brute-force password attacks…”).
• [T1190] Exploit Public-Facing Application – The group exploits weaknesses in VPN appliances and known vulnerabilities to gain access (“…exploiting weaknesses in VPN appliances…”).
• [T1598] Phishing for Information / T1593] Search Open Websites/Domains – Social engineering impersonation of IT staff to load tools like RMMs (“…engaged in social engineering tactics…to impersonate IT staff and load other tools like RMMs.”).
• [T1083] File and Directory Discovery – Use of ShareFinder.ps1 to hunt for network shares containing critical data (“…repurposed to hunt for shares that may contain critical data… ‘Invoke-ShareFinder’”).
• [T1021] Remote Services – Use of PsExec for lateral movement (“SafePay leverages tools like PsExec to establish lateral movement…”).
• [T1041] Exfiltration Over C2 Channel / T1560] Archive Collected Data – Use of WinRAR to archive and FileZilla to exfiltrate stolen data (“…using WinRAR…before exfiltration using FileZilla.”).
• [T1486] Data Encrypted for Impact – Ransomware encrypts files with ChaCha20, replaces extensions with .safepay, and drops readme_safepay.txt (“The .safepay extension replaces extensions on affected files. And, the ransom note named readme_safepay.txt is added…”).
• [T1497] Virtualization/Sandbox Evasion & [T1621] Debugger Evasion – Ransomware evades debugger detection and can terminate anti-malware processes (“…equipped with defense evasion capabilities, including the ability to evade debugger detection. It can also terminate processes associated with anti-malware functions.”).