New SafePay Ransomware Emerges, Exploiting TOR and TON for Anonymity

In October 2024, Huntress analysts documented two incidents involving the emergence of a new ransomware strain known as SafePay. This malware is distinguished by its unique “.safepay” file extension and the ransom note titled “readme_safepay.txt.” No prior cases involving this software had been reported.

In the darknet, SafePay exploits TOR onion routing for anonymity and employs the decentralized TON messenger for communication. On the attackers’ leak site, a list of 22 victims is displayed alongside downloadable stolen data, raising serious concerns about the security of their corporate networks.

In the first incident, hackers infiltrated systems via RDP, disabling Windows Defender as part of their attack. They utilized WinRAR to archive files, which were likely exfiltrated using the FTP client FileZilla. The attack culminated in the encryption of network resources, accompanied by the deletion of shadow copies and the disabling of system restoration.

In the second case, the attackers also exploited RDP but bypassed security measures through different techniques. While antivirus software detected the encryption process, it failed to halt it. As in the first incident, a ransom note with threats and payment demands was left behind.

Analysis of the malicious code revealed similarities between SafePay and Lockbit ransomware. Notably, the software checks for usage in Eastern European countries and effectively evades antivirus defenses. Its file encryption and thread management are optimized for efficiency and stealth.

Huntress researchers highlighted that SafePay leverages well-established tools such as PowerShell scripts to locate network resources and WinRAR for data archiving. These tactics underscore the attackers’ high level of sophistication and emphasize the critical need for companies to strengthen cybersecurity, particularly regarding RDP access.