GOLD LEAPFROG

GOLD LEAPFROG is a cybercriminal threat group that operates SafePay ransomware. The group engages in name-and-shame (or double-extortion) tactics, stealing data and holding it to ransom in addition to encrypting networks before naming victims on a dedicated leak site. Although GOLD LEAPFROG claims not to operate SafePay as a ransomware-as-a-service (RaaS) scheme, the rate of victim naming suggests that a group of individuals is engaged in its operations. SafePay first emerged in November 2024 when 24 victims were named on a leak site of the same name. Since then, around 30 victims names have been posted to the leak site each month.

CTU researchers have observed a variety of tools and tactics, techniques and procedures (TTPs) used in compromises involving the deployment of SafePay ransomware. Intrusions are characterised by dwell times of between two and five days, although in one case, post-compromise activity began around one month after initial access was obtained, suggesting that the group might sometimes rely on initial access brokers (IAB) for access.

GOLD LEAPFROG exploits VPN services to gain entry to networks, most often by brute-forcing them or using stolen credentials for accounts not protected by multi-factor authentication (MFA).

The group uses off-the-shelf remote monitoring and management (RMM) tools for persistence and remote access, and routinely exploits remote desktop protocol (RDP) for lateral movement. It has also been observed using QDoor, a simple command-and-control (C2) backdoor providing proxy capabilities. Impacket has been used to facilitate privilege escalation while SafePay ransomware has been pushed across the victim network using batch scripts.

GOLD LEAPFROG uses the ShareFinder utility in PowerView and the SharpShares tool for collection and collates files deemed interesting in RAR archive files. FileZilla is used to exfiltrate the data to a remote server, sometimes hosted on the Temp.sh file sharing service.

For defense evasion, the group disables antivirus solutions using commands and the EDRSandBlast tool. They also delete tools quickly after use, reset registry values and delete log files. To frustrate recovery attempts, the group deletes or encrypts backups and changes admin passwords.

SafePay is Windows-based ransomware. According to third-party research, the latest version encrypts files using the ChaCha20 algorithm and appends the .safepay extension to them before dropping generic ransom notes on devices. These differ from victim to victim only through the unique ID needed to log into the negotiation portal, the URL for which is also provided.