This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

Aug. 15, 2025, 1:07 p.m.

Description

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It targets various file types using AES-256 encryption and includes keylogging and data exfiltration capabilities. The ransomware creates autorun entries, bypasses Windows Defender, and sets up remote access. With a relatively low ransom demand, it appears to be a widespread campaign rather than targeting high-value individuals. The attack serves as a reminder of the importance of user vigilance and proper cybersecurity measures.

External References

https://cofense.com/blog/this-sap-ariba-quote-isn-t-what-it-seems-it-s-ransomware
https://otx.alienvault.com/pulse/689f1c5275008bae8b2aa1b1
Tags
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware

Date

  • Created: Aug. 15, 2025, 11:38 a.m.
  • Published: Aug. 15, 2025, 11:38 a.m.
  • Modified: Aug. 15, 2025, 1:07 p.m.

Attack Patterns

  • LeeMe Ransomware
  • LeeMe