{
  "name": "This 'SAP Ariba Quote' Isn't What It Seems\u2014It's Ransomware",
  "slug": "this-sap-ariba-quote-isnt-what-it-seemsits-ransomware",
  "description": "A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It targets various file types using AES-256 encryption and includes keylogging and data exfiltration capabilities. The ransomware creates autorun entries, bypasses Windows Defender, and sets up remote access. With a relatively low ransom demand, it appears to be a widespread campaign rather than targeting high-value individuals. The attack serves as a reminder of the importance of user vigilance and proper cybersecurity measures.",
  "published": "2025-08-15T09:38:58+00:00",
  "created_at": "2025-08-15T09:38:58+00:00",
  "modified_at": "2025-08-15T11:07:32+00:00",
  "created_at_opencti": "2025-08-15T09:38:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-15",
    "bitcoin",
    "data exfiltration",
    "encryption",
    "keylogger",
    "leeme ransomware",
    "phishing",
    "ransomware",
    "sap ariba",
    "social engineering"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "45ed71ac-b6a5-46f4-80b5-ca8a096d0f76",
        "name": "LeeMe Ransomware",
        "slug": "leeme-ransomware"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c05bb261-07bd-4f99-b580-148fa60d6dd1",
        "name": "LeeMe",
        "slug": "leeme"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://cofense.com/blog/this-sap-ariba-quote-isn-t-what-it-seems-it-s-ransomware",
    "https://otx.alienvault.com/pulse/689f1c5275008bae8b2aa1b1"
  ]
}