November 22, 2024
By Cybervergent Team

SafePay Ransomware: A Rising Threat to Payment Processors and Banks

Cybersecurity experts have uncovered SafePay, a newly identified ransomware strain that is raising alarms in the financial sector. By leveraging stealthy and advanced attack methods, this malware poses a significant risk to payment processors and banks. These organizations, entrusted with safeguarding sensitive financial data, must brace for the disruptive potential of SafePay’s sophisticated capabilities.

What is SafePay?

SafePay is an emerging ransomware strain believed to be derived from leaked LockBit source code. Its signature traits include a ransom note titled readme_safepay.txt and encrypted file extensions labeled .safepay. Analysts point to its uncanny similarities to LockBit, but SafePay’s refined approach makes it a new beast in the ransomware landscape.

Key Tactics in SafePay Attacks

1.Two-Phase Attack Model

•      Data Collection and Exfiltration:
Attackers employ tools like WinRAR to compress sensitive data and FileZilla to exfiltrate it, targeting multiple endpoints simultaneously. In a bid to evade detection, these tools are uninstalled immediately after use.

•      Encryption Deployment:
Using stolen credentials and Remote Desktop Protocol (RDP), attackers deploy PowerShell scripts that execute ransomware. Commands disable shadow copies and alter boot configurations, ensuring data recovery becomes nearly impossible.

2.Advanced Ransomware Techniques

•      UAC Bypass and Privilege Escalation:
SafePay circumvents User Account Control (UAC) via COM object manipulation, gaining elevated access to systems.

•      Anti-AnalysisFeatures:
Techniques like string obfuscation and customized thread creation help evade detection and optimize encryption performance.

•      Language-Based Kills witch:
Machines with Cyrillic system languages are skipped, indicating Eastern Europe may not be its intended target.

•      Leak Platforms and Public Exposure:
Victim data is exposed through platforms on the Tor network and The Open Network (TON). Vulnerabilities in SafePay’s backend have also revealed operational details, a rare glimpse into the attackers’ infrastructure.

 

Why Payment Processors and Banks Should Be Concerned

Financial institutions are a lucrative target for ransomware groups due to the critical nature of their services and the volume of sensitive data they handle. SafePay’s ability to combine exfiltration with encryption poses a dual threat to operational continuity and data confidentiality.

Key Risks:

•      Operational Disruption: Encrypted files or network compromises can halt payment processing and customer transactions.

•      Data Breaches: Exfiltrated financial records and customer information could be sold or leaked, damaging reputation and trust.

•      Financial Impact: The costs of ransom payments, remediation, and regulatory penalties can be devastating.

 

How to Safeguard Against SafePay

1.Fortify Endpoint Security

Deploy endpoint detection and response (EDR) tools to identify unusual activities, such as unauthorized software use or data archiving.

2.Credential Management

Enforce strong passwords and implement multi-factor authentication (MFA) across all accounts to prevent unauthorized access.

3.Network Segmentation

Separate sensitive systems from user-accessible endpoints to limit lateral movement during a breach.

4.Regular Backups

Maintain encrypted, offline backups and test your disaster recovery processes to ensure rapid recovery from encryption attempts.

 

How MSSPs Can Prevent SafePay Attacks

Engaging a Managed Security Services Provider (MSSP) can provide expert-level, 24/7monitoring and incident response.

•      Credential Monitoring: Detect compromised credentials before attackers exploit them.

•      Behavioral Analysis: Identify unusual patterns, such as excessive use of administrative privileges or suspicious file transfers.

•      Proactive Threat Intelligence: Stay ahead of ransomware trends and implement defenses against emerging threats.