This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware
Essential information
- Published
- 15/08/2025 11:38
- Modified
- 15/08/2025 13:07
- Tags
- 2025-08-15 bitcoin data exfiltration encryption keylogger leeme ransomware phishing ransomware sap ariba social engineering
- Related entities
- 1 intrusion sets (apt), 9 techniques (mitre), 1 malware
Description
A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It targets various file types using AES-256 encryption and includes keylogging and data exfiltration capabilities. The ransomware creates autorun entries, bypasses Windows Defender, and sets up remote access. With a relatively low ransom demand, it appears to be a widespread campaign rather than targeting high-value individuals. The attack serves as a reminder of the importance of user vigilance and proper cybersecurity measures.