SafePay ransomware gang claims Microlise attack that disrupted prison van tracking

The new SafePay ransomware gang has claimed responsibility for the attack on UK telematics biz Microlise, giving the company less than 24 hours to pay its extortion demands before leaking data.

SafePay claims to have stolen 1.2 TB. Microlise, which offers vehicle tracking services and more to the likes of DHL and Serco – both of which were confirmed as collateral damage in Microlise's incident – told The Register that some of its data was stolen earlier this month.

We contacted the company for a response and confirmation that ransomware was involved in the incident, which until now has only been described as a "cyber incident," but it didn't immediately respond.

Microlise has issued two separate disclosures, the first of which came on October 31, saying it was making "substantial progress in containing and clearing the threat from its network."

Major customers reported issues soon after, including delivery giant DHL, which was unable to track its lorries, affecting deliveries to UK convenience stores operated by Nisa Group.

British security company Serco, which manages numerous public sector contracts, including with the Ministry of Justice, was also hit.

The company reported panic alarms and tracking systems used by prisoner transport vans were temporarily disabled, although service continued without disruption. No individuals in custody were unaccounted for.

Experts speaking to The Register at the time said the wording used by Microlise in its disclosure, coupled with the reports of disruptions by customers, suggested ransomware was indeed involved, although it wasn't confirmed explicitly.

A more recent update on the attack, which Microlise told the London Stock Exchange would be its final one concerning the matter, said some customers' systems remained offline, while many others had been restored.

"The company can now confirm that the vast majority of customer systems are back online, with some remaining customers conducting their own security verifications before enabling users," a statement read. "The company would like to reiterate no customer systems data was compromised."

• Five Scattered Spider suspects indicted for phishing spree and crypto heists
• Mega US healthcare payments network restores system 9 months after ransomware attack
• Healthcare org Equinox notifies 21K patients and staff of data theft
• Russian suspected Phobos ransomware admin extradited to US over $16M extortion

Microlise went on to say that it was "continuing to assess the impact of the incident," but didn't foresee it having a material impact on its yearly financials.

"Once again, Microlise would like to thank customers for their patience and understanding over this challenging period," it added.

Not so safe to pay

SafePay is a new group on the scene. By the time researchers at Huntress got around to looking at it in October, it only had 22 victims logged on its leak blog.

Huntress's report on the group contains all the technical details and indicators of compromise needed for defenders to add to their detection rules.

However, in the two incidents the researchers investigated, SafePay used valid credentials to access victims' environments. They didn't establish persistence through the creation of new user accounts or by any other means either.

The first incident Huntress looked at involved the crims accessing an endpoint via RDP and disabling Windows Defender using the exact same sequence of LOLBin commands as previously seen during INC Ransomware attacks.

On day two of the attack, SafePay's cronies encrypted the victim's files within 15 minutes after stealing data the day before.

Given how new the group is to the cybercrime landscape, there is very little open source information about it or who's involved, although if its claim to the Microlise attack is genuine, it's quite the scalp to hold as it bursts onto the ransomware scene. ®