Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Ransomware gang SafePay claims hack on a Melbourne-based not-for-profit research institute operating out of the Royal Melbourne Hospital.
Newcomer ransomware operation SafePay has listed medical research not-for-profit the Australian Centre for Heart Health on its darknet leak site.
The incident was listed on 27 November and was reported by several internet-based threat-tracking services. Four other victims were also listed on the same day.
In a stroke of luck for those victims, however, SafePay’s leak site has been consistently offline since that time, so whatever the gang may have allegedly stolen remains – for now – more or less secure and beyond the reach of prying eyes.
That said, there’s not much to SafePay’s leak site. It is very minimal, and all each listing includes is the victim’s website URL, the date of the hack, a link to download a file listing, and another link if the data has already been published.
Cyber Daily has reached out to the Australian Centre for Heart Health but has yet to receive a reply.
SafePay published its first tranche of 24 victims on 20 November, which included one Australian firm, dairy producer Snow Brand Australia, and one New Zealand victim, importer Triton Sourcing & Distribution.
The gang appears to have been operating for around two months before it first began publishing on its leak site. It has a kill switch in its ransomware process that looks out for systems that use Cyrillic as its default character set, suggesting the gang operates out of eastern Europe.
Cyber security firm Huntress has been tracking SafePay for some time, and in the specific incidents it has observed, “the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range”.
“The threat actor was able to use valid credentials to access customer endpoints and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence,” Huntress said in a 14 November blog post.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
