You have4 free articles left this month.
Register for a free account to access unlimited free content.
You have 4 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

Breaking news and updates daily. Subscribe to our Newsletter
Advertisement

Exclusive: Australian Centre for Heart Health hit by alleged SafePay ransomware attack

Ransomware gang SafePay claims hack on a Melbourne-based not-for-profit research institute operating out of the Royal Melbourne Hospital.

Exclusive: Australian Centre for Heart Health hit by alleged SafePay ransomware attack
expand image

Newcomer ransomware operation SafePay has listed medical research not-for-profit the Australian Centre for Heart Health on its darknet leak site.

The incident was listed on 27 November and was reported by several internet-based threat-tracking services. Four other victims were also listed on the same day.

In a stroke of luck for those victims, however, SafePay’s leak site has been consistently offline since that time, so whatever the gang may have allegedly stolen remains – for now – more or less secure and beyond the reach of prying eyes.

That said, there’s not much to SafePay’s leak site. It is very minimal, and all each listing includes is the victim’s website URL, the date of the hack, a link to download a file listing, and another link if the data has already been published.

Cyber Daily has reached out to the Australian Centre for Heart Health but has yet to receive a reply.

SafePay published its first tranche of 24 victims on 20 November, which included one Australian firm, dairy producer Snow Brand Australia, and one New Zealand victim, importer Triton Sourcing & Distribution.

The gang appears to have been operating for around two months before it first began publishing on its leak site. It has a kill switch in its ransomware process that looks out for systems that use Cyrillic as its default character set, suggesting the gang operates out of eastern Europe.

Cyber security firm Huntress has been tracking SafePay for some time, and in the specific incidents it has observed, “the threat actor’s activity was found to originate from a VPN gateway or portal, as all observed IP addresses assigned to threat actor workstations were within the internal range”.

“The threat actor was able to use valid credentials to access customer endpoints and was not observed enabling RDP, nor creating new user accounts, nor creating any other persistence,” Huntress said in a 14 November blog post.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

You need to be a member to post comments. Become a member for free today!

Comments (0)

Cyber Daily Comments
Attach images by dragging & dropping or by selecting them.
The maximum file size for uploads is MB. Only files are allowed.
 
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
Posting as

    newsletter
    cyber daily subscribe
    Be the first to hear the latest developments in the cyber industry.