(sygnia.co) SafePay Ransomware Group Leverages Microsoft OneDrive for Covert Data Exfiltration in Double Extortion Campaign
-
(sygnia.co) SafePay Ransomware Group Leverages Microsoft OneDrive for Covert Data Exfiltration in Double Extortion Campaign
Sygnia documented a double extortion ransomware operation by SafePay, active since September 2024, in which the attackers exploited a misconfigured FortiGate SSL VPN and a weak administrative account lacking MFA to gain initial access. After escalating to domain administrator via RDP, the group enumerated the environment using native Windows utilities and open source tools, then exfiltrated data over seven days by installing the OneDrive sync client on a compromised server and synchronizing staged archives to an attacker controlled Microsoft 365 tenant, blending exfiltration traffic with legitimate Microsoft cloud communications. The ransomware payload locker.dll was executed via regsvr32.exe for network wide encryption.
IOCs in the article.
Source: https://www.sygnia.co/blog/safepay-onedrive-exfiltration-technique/
Fediverse: Not known
-
R relay@relay.infosec.exchange shared this topic
