SafeNet

Malware

⚠️ Overview

SafeNet is a ransomware family first documented in May 2020 by researchers at Fortinet's FortiGuard Labs, believed to be operated by a single threat actor or small group using a ransomware-as-a-service (RaaS) model, primarily targeting small-to-medium businesses in North America and Europe. Unlike more sophisticated strains, SafeNet employs a relatively simple encryptor that appends the .safenet extension to encrypted files and drops a ransom note named _readme.txt demanding payment in Bitcoin, categorizing it as a low-to-medium sophistication ransomware.

🔧 Technical Capabilities

SafeNet propagates via phishing emails with malicious attachments (typically VBScript or PowerShell droppers) and, in some campaigns, through compromised RDP endpoints using weak credentials. Its encryptor uses AES-256 in CBC mode to encrypt files, with the key itself encrypted with an embedded RSA-1024 public key; files are enumerated on local drives and any writable network shares. C2 communication occurs over HTTP to hardcoded IP addresses (e.g., 185.225.73[.]146) to exfiltrate a unique victim ID and encryption key before deletion of volume shadow copies using vssadmin.exe. Persistence is achieved via a scheduled task named "SafeNetUpdate" that re-runs the payload on reboot. Evasion includes checking for sandbox environments by detecting common analysis tools like wireshark or procmon, and delaying encryption for several hours after initial execution to bypass behavioral detection.

📜 History & Notable Incidents

First observed in May 2020, SafeNet was notably used in a campaign against a Canadian manufacturing firm in June 2020, resulting in encrypted file servers and a demand of 1.5 Bitcoin (approximately $14,000 at the time). No high-profile CVE exploits are associated with SafeNet; it relies on social engineering and brute-force RDP attacks. As of 2023, no law enforcement actions have been publicly reported against SafeNet operators, though several decryptors (e.g., from Emsisoft) have been released for earlier versions due to a flaw in key generation.

🔍 Detection Indicators

Known file hashes include SHA256: 8a7e5f2c1d9e3b4f6a0c8d7e5f2a1b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f (a sample from 2020). Behavioral signatures include creation of the mutex "Global\Safenet" and writes to registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSafeNet. Network IOCs include HTTP POST requests to /gate.php with a User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" and referral to C2 IP 185.225.73[.]146 (as per Cisco Talos research).

☠️ Risk & Impact

SafeNet causes irreversible data encryption unless a decryptor is available; it does not exfiltrate data but deletes backup shadow copies, increasing recovery costs. Financial losses per incident range from $2,000 to $15,000 in ransom demands, but downtime and restoration costs can exceed $50,000 for SMBs. Affected sectors include manufacturing, healthcare, and professional services, with geographic concentration in the United States and Canada.

🛡️ Mitigation

Recommended defenses include enabling multi-factor authentication on RDP, blocking PowerShell execution from Office macros via Group Policy, and deploying endpoint detection rules for the SafeNet mutex and vssadmin deletion patterns. Use of Emsisoft's free decryptor (for pre-2022 variants) and regular offline backups are critical; apply the MITRE ATT&CK technique T1486 (Data Encrypted for Impact) and T1059.001 (PowerShell) for defensive playbooks.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.