safepay
SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealing 1.2 TB of data.
- Unspecified
- Consumer Services
- Business Services
- Transportation/Logistics
- Manufacturing
- Construction
- Technology
- Healthcare
- TA0001Initial Access
- T1078Valid Accounts
The threat actor accessed the endpoint via Remote Desktop Protocol (RDP) using valid credentials.
- T1091Replication Through Removable Media
- T1189Drive-by Compromise
- T1190Exploit Public-Facing Application
- T1566.001Phishing: Spearphishing Attachment
- T1566.002Phishing: Spearphishing Link
- T1566.003Phishing: Spearphishing Voice
- TA0002Execution
- T1047Windows Management Instrumentation
- T1047Windows Management Instrumentation
Employed WMI commands to execute processes on remote systems.
- T1053.005Scheduled Task/Job: Scheduled Task
- T1059Command and Scripting Interpreter
Utilized PowerShell scripts, such as ShareFinder.ps1, to execute commands on the compromised system.
- T1059.001Command and Scripting Interpreter: PowerShell
- T1059.003Command and Scripting Interpreter: Windows Command Shell
- T1059.005Command and Scripting Interpreter: Visual Basic
- T1106Native API
- T1129Shared Modules
- T1203Exploitation for Client Execution
- T1204.001User Execution: Malicious Link
- T1204.002User Execution: Malicious File
- TA0003Persistence
- T1078Valid Accounts
Maintained access through the use of compromised valid accounts.
- T1098Account Manipulation
- T1505.004Server Software Component: IIS Components
- T1542.003Pre-OS Boot: Bootkit
- T1543.003Create or Modify System Process: Windows Service
- T1547Boot or Logon Autostart Execution
- T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1547.009Boot or Logon Autostart Execution: Shortcut Modification
- T1574.001Hijack Execution Flow: DLL Search Order Hijacking
- TA0004Privilege Escalation
- TA0005Defense Evasion
- T1014Rootkit
- T1027Obfuscated Files or Information
- T1027.002Obfuscated Files or Information: Software Packing
- T1027.005Obfuscated Files or Information: Indicator Removal from Tools
- T1027.007Obfuscated Files or Information: Dynamic API Resolution
- T1027.009Obfuscated Files or Information: Embedded Payloads
- T1027.013Obfuscated Files or Information: Encrypted/Encoded File
- T1027.016Obfuscated Files or Information: Junk Code Insertion
- T1036Masquerading
- T1036.003Masquerading: Rename Legitimate Utilities
- T1036.004Masquerading: Masquerade Task or Service
- T1036.005Masquerading: Match Legitimate Name or Location
- T1036.007Masquerading: Double File Extension
- T1036.008Masquerading: Masquerade File Type
- T1055Process Injection
- T1055.001Process Injection: DLL Injection
- T1070Indicator Removal
- T1070.003Indicator Removal: Clear Command History
- T1070.004Indicator Removal: File Deletion
- T1070.006Indicator Removal: Timestomp
- T1112Modify Registry
- T1140Deobfuscate/Decode Files or Information
- T1218System Binary Proxy Execution
- T1218.004System Binary Proxy Execution: InstallUtil
- T1218.005System Binary Proxy Execution: Mshta
- T1218.007System Binary Proxy Execution: Msiexec
- T1218.010System Binary Proxy Execution: Regsvr32
- T1218.011System Binary Proxy Execution: Rundll32
- T1218.014System Binary Proxy Execution: MMC
- T1220XSL Script Processing
- T1221Template Injection
- T1222File and Directory Permissions Modification
- T1497Virtualization/Sandbox Evasion
- T1497.001Virtualization/Sandbox Evasion: System Checks
- T1497.003Virtualization/Sandbox Evasion: Time Based Checks
- T1553.002Subvert Trust Controls: Code Signing
- T1562.001Disable or Modify Tools
Disabled Windows Defender using a sequence of LOLBin commands to evade detection.
- T1562.001Impair Defenses: Disable or Modify Tools
- T1562.004Impair Defenses: Disable or Modify System Firewall
- T1564.001Hidden Artifacts: Hidden Files and Directories
- T1574Hijack Execution Flow
- T1574.013Hijack Execution Flow: KernelCallbackTable
- T1620Reflective DLL Injection
- T1622Debugger Evasion
- TA0006Credential Access
- T1003OS Credential Dumping
Employed tools like lsassy.py to dump credentials from the operating system.
- T1003.003OS Credential Dumping: NTDS
- T1056Input Capture
- T1056.001Input Capture: Keylogging
- T1110.003Brute Force: Password Spraying
- T1555Credentials from Password Stores
- T1557.001Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning
- TA0007Discovery
- T1010Application Window Discovery
- T1012Query Registry
- T1016System Network Configuration Discovery
- T1033System Owner/User Discovery
- T1046Network Service Discovery
- T1049System Network Connections Discovery
- T1057Process Discovery
- T1082System Information Discovery
- T1083File and Directory Discovery
- T1087.002Account Discovery: Domain Account
- T1119Automated Collection
- T1120Peripheral Device Discovery
- T1124Time Discovery
- T1482Domain Trust Discovery
Conducted domain trust discovery using commands like 'net group domain admins /domain' and 'nltest.exe'.
- T1614.001System Location Discovery: System Language Discovery
- TA0008Lateral Movement
- T1021Remote Services
Moved laterally within the network using Remote Desktop Protocol (RDP) and Windows Management Instrumentation (WMI).
- T1021.001Remote Services: Remote Desktop Protocol
- T1021.002Remote Services: SMB/Windows Admin Shares
- T1021.004Remote Services: SSH
- T1091Replication Through Removable Media
- T1534Internal Spearphishing
- TA0009Collection
- T1005Data from Local System
- T1074Data Staged
- T1074.001Data Staged: Local Data Staging
- T1560Archive Collected Data
Archived files using WinRAR with specific command-line options to prepare data for exfiltration.
- T1560.002Archive Collected Data: Archive via Library
- T1560.003Archive Collected Data: Archive via Custom Method
- TA0010Exfiltration
- T1041Exfiltration Over C2 Channel
- T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
- T1052.001Exfiltration Over Physical Medium: Exfiltration over USB
- T1567.002Exfiltration Over Web Service
Utilized MEGASync to exfiltrate data over a web service.
- T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
- TA0011Command and Control
- T1001.003Data Obfuscation: Protocol or Service Impersonation
- T1008Fallback Channels
- T1071.001Application Layer Protocol: Web Protocols
- T1090Proxy
- T1090.001Proxy: Internal Proxy
- T1090.002Proxy: External Proxy
- T1095Non-Application Layer Protocol
- T1102Web Service
- T1102.002Web Service: Bidirectional Communication
- T1104Multi-Stage Channels
- T1105Ingress Tool Transfer
- T1132.001Data Encoding: Standard Encoding
- T1219.002Remote Access Software: Remote Desktop Software
- T1571Non-Standard Port
- T1573Encrypted Channel
- T1573.001Encrypted Channel: Symmetric Cryptography
- TA0040Impact
- T1485Data Destruction
- T1486Data Encrypted for Impact
Encrypted files and appended the '.safepay' extension, leaving a ransom note named 'readme_safepay.txt'.
- T1489Service Stop
- T1490Inhibit System Recovery
Deleted volume shadow copies to inhibit system recovery.
- T1491.001Defacement: Internal Defacement
- T1529System Shutdown/Reboot
- T1561.001Disk Wipe: Disk Content Wipe
- T1561.002Disk Wipe: Disk Structure Wipe
- TA0042Resource Development
- T1583.001Acquire Infrastructure: Domains
- T1583.004Acquire Infrastructure: Server
- T1583.006Acquire Infrastructure: Web Services
- T1584.001Compromise Infrastructure: Domains
- T1584.004Compromise Infrastructure: Server
- T1585.001Establish Accounts: Social Media Accounts
- T1585.002Establish Accounts: Email Accounts
- T1587.001Develop Capabilities: Malware
- T1587.002Develop Capabilities: Code Signing Certificates
- T1588.002Obtain Capabilities: Tool
- T1588.003Obtain Capabilities: Code Signing Certificates
- T1588.004Obtain Capabilities: Digital Certificates
- T1608.001Stage Capabilities: Upload Malware
- T1608.002Stage Capabilities: Upload Tool
- TA0043Reconnaissance