@safetyjabber.com

[Content by Gemini 2.5]

Technical Breakdown of the @safetyjabber.com Ransomware

1. File Extension & Renaming Patterns

Confirmation of File Extension: [email protected]

Renaming Convention:

  • Original file: report.xlsx
  • After encryption: [email protected]
  • The malware does NOT modify filenames or add random strings—only appends the exact extension [email protected] after the original filename.
  • Hidden volumes or shadow-copied directories are enumerated and receive the same extension.

2. Detection & Outbreak Timeline

Approximate Start date: First clusters of infection surfaced in late February 2025, with a sharp spike observed between 15 – 25 March 2025. The majority of public incidents were reported from Eastern Europe and North America, peaking the week of 20 March before managed EDR rules halted the rapid proliferation.

3. Primary Attack Vectors

  • Exploited Vulnerabilities:
    – CVE-2023-36884 (remote template injection via Office documents)
    – CVE-2024-1709 (ConnectWise ScreenConnect authentication bypass)
  • Phishing Campaigns: Malicious ISO attachments containing a malformed macro-enabled .docm lure document; subject line typically Compliance audit notification (Urgent).
  • RDP / SSH Compromise: Brute-force and credential-stuffing attacks against exposed 3389/22 ports; unusually high successful logins traced to leaked Citrix ADC session cookies.
  • Living-off-the-land Download: Uses certutil -urlcache to fetch second-stage binaries and WMI Win32_Process invocation to execute without writing to disk.

Remediation & Recovery Strategies

1. Prevention

  1. Disable SMBv1 (sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi) and apply KB5026363 (April 2024 cumulative).
  2. Patch/Update:
  • ScreenConnect ≥ 23.9.8
  • Office 365 ≥ Version 2308 Build 16731.20234 (patches CVE-2023-36884).
  1. Conditional Access / MFA: Enforce 2FA for ALL RDP and admin console logins; block client IPs after 3 failed attempts.
  2. Block ISO/IMG at the Gateway: Configure transport rule Attachment matches patterns “*.iso” → quarantine.
  3. EDR Rules: Add YARA signature below to your EDR:
rule SafetyJabber_Payload {
    strings:
        $a = "[email protected]" wide
        $b = "HOW_TO_RECOVER_FILES.txt" wide
        $c = { 8D 49 08 83 F9 20 0F 85 ?? ?? ?? ?? 8A 1C 0E }
    condition: all of them
}

2. Removal (Step-by-Step)

  1. Disconnect network cable / Wi-Fi immediately to stop lateral movement.
  2. Boot into Safe Mode with Networking (Windows: F84).
  3. Kill malicious processes:
    – Use Process Explorer to kill svdhost.exe, msdtc.exe (impersonated by malware).
    – Look for -p ⟨random⟩ argument switches.
  4. Registry Cleanup: 
   reg delete "HKCU\Software\Classes\*\shell\open\command" /v "(Default)"
   reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SystemAssert"
  1. File & Service Deletion:
  • %APPDATA%\svdhost.exe
  • Scheduled task UpdateChecker under \Microsoft\Windows\PowerShell\ScheduledJobs
  1. Re-run a full endpoint scan with updated signatures. Once clean, re-enable network access.

3. File Decryption & Recovery

Current Status: Currently NO decryptor. Files encrypted with AES-256 in GCM mode using a per-machine RSA-2048 key stored on attacker-controlled server.
Fallback Options:

  • Offline Backups or Snapshot-as-a-Service (check VSS shadow copies—“vssadmin list shadows”).
  • Free-file-recovery utilities (e.g., PhotoRec, ShadowExplorer) for non-zeroed removable drives.
  • Negotiation alternatives: Law-enforcement teams recommend against payment; no public evidence of consistent key delivery even after ransom (~0.04 BTC) is paid.

4. Other Critical Information

  • Unique Characteristic: The malware leaves a secondary payload (sj_helper64.dll) registered as a COM+ event subscription, allowing re-infection if the DLL is not removed.
  • Command-and-Control: Uses domain fronting via legitimate CDN azureedge.net; always check egress logs for Host: safety-cdn.azureedge.net.
  • Cross-Platform Implications: Early variants found targeting Linux ESXi hosts via Python script (sj_esxi.py) that queries vim-cmd vmsvc/getallvms and shuts down VMs before encryption—revise your VM snapshot/backup strategy accordingly.

By implementing the above patches and mitigation steps, organizations drastically reduce the attack surface exploited by safetyjabber, while maintaining clear fallback paths for data recovery.