BLUF

 Conduent disclosed a cyber incident detected Jan 13, 2025 involving unauthorized access to a limited portion of its environment, operational disruption, and theft of client end-user data. Public reporting and breach notifications indicate attacker dwell time from Oct 21, 2024 through Jan 13, 2025. The extortion/ransomware group SafePay claimed responsibility, alleging exfiltration of ~8.5 TB. Victim impact expanded via U.S. state notifications into late 2025/early 2026, with totals described as 10M+ and potentially far higher.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by ransomware combined with large-scale data theft and extortion activity (SafePay-style double extortion)…

·       Low-end total cost: $15M – $35M

o   Limited encryption spread, smaller confirmed data exposure

·       Typical expected range: $40M – $90M

o   multi-week disruption, major breach notification and legal response

·       Upper-bound realistic scenarios: $100M – $180M

o   Large-scale sensitive data theft, prolonged regulatory and litigation tail

Government Services & Public Administration Contractors

·       Benefits processing, child support systems, citizen-facing platforms

o   Low-end total cost: $20M – $45M

·       Limited disruption, contained data scope, rapid restoration

o   Typical expected range: $60M – $120M

·       Multi-agency service outages, large-scale citizen data exposure

o   Upper-bound realistic scenarios: $140M – $220M

·       Extended disruption, state investigations, major litigation tail

Primary cost amplifiers

·       Prolonged downtime

·       State breach compliance

·       Contract penalties.

Healthcare & Health Insurance Administration

Claims processing, eligibility systems, PHI-heavy environments

Healthcare-linked breaches tend to generate higher regulatory and legal costs because stolen data often includes PHI.

·       Short disruption, limited PHI confirmation

o   Low-end total cost: $25M – $55M

·       Broad PHI exposure, HIPAA response, multi-year monitoring

o   Typical expected range: $75M – $150M

·       Class-action escalation, OCR enforcement, systemic remediation

o   Upper-bound realistic scenarios: $175M – $275M

Primary cost amplifiers

·       HIPAA enforcement

·       Identity protection duration

·       Litigation severity.

Transportation & Tolling Operations

Toll systems, transit payment infrastructure, logistics platforms

The dominant cost driver here is real-time operational disruption and revenue leakage during outages.

·       Localized outage, minimal customer PII theft

o   Low-end total cost: $15M – $35M

·       Payment disruption, service credits, restoration complexity

o   Typical expected range: $45M – $95M

·       Regional outage, extended revenue loss, breach expansion

o   Upper-bound realistic scenarios: $110M – $180M

Primary cost amplifiers

·       Downtime duration

·       Revenue interruption

·       Public-sector accountability.

Large Enterprise Business Process Outsourcing (BPO) Providers

Multi-client service operators handling payroll, HR, government workflows

BPO providers experience cascading downstream liability, because a single breach can trigger multiple client impacts.

·       Single-client containment, limited lateral spread

o   Low-end total cost: $30M – $65M

·       Multi-client notification, contractual exposure, operational disruption

o   Typical expected range: $90M – $175M

·       Systemic compromise, major client churn, prolonged litigation

o   Upper-bound realistic scenarios: $200M – $350M

Primary cost amplifiers

·       Client contract penalties

·       Multi-tenant exposure

·       Reputational loss

Key Cost Drivers

·       Duration of operational downtime in customer-facing services

·       Scale of breach notification (millions of impacted individuals)

·       Litigation and settlement trajectory over 2–3 years

·       Regulatory scrutiny across multiple jurisdictions

·       Insurance coverage limitations and renewal premium escalation

·       Contract penalties tied to government and healthcare processing obligations

Potential affected Sectors

·       Government services/public administration

o   Benefits

o   Child support

o   Social services processing

·       Healthcare/health insurance administration

·       Transportation/tolling operations

·       Large enterprise/BPO services

Potential impacted countries

·       United States

Date of first reported activity

·       Oct 21, 2024

Date detected/public disruption

·       Jan 13, 2025

o   SEC filing operational disruption and unauthorized access

Date of last reported activity update

·       Feb 6, 2026

Tools used in campaign

·       Rclone

o   Data exfiltration

·       FileZilla

o   Data transfer/exfiltration

·       ScreenConnect

o   Remote access/persistence enablement

·       RDP and SMB admin shares

o   Lateral movement

·       SafePay ransomware encryptor

TTPS

Initial Access

·       T1078 Valid Accounts

o   Stolen/abused credentials used for entry (VPN/RDP)

·       T1133 External Remote Services

o   Remote services leveraged for access

Execution

·       T1059 Command and Scripting Interpreter

o   PowerShell/cmd automation

·       T1218.010 Regsvr32

o   LOLBin execution via regsvr32

Persistence

·       T1547 Boot or Logon Autostart Execution

o   Run keys/startup persistence

·       T1136 Create Account

o   New account creation for persistence (hunt focus)

Privilege Escalation

·       T1548.002 Abuse Elevation Control Mechanism

o   Bypass UAC

Defense Evasion

·       T1562.001 Impair Defenses

o   Disable/modify security tools

·       T1070 Indicator Removal on Host

o   Log clearing

Credential access

·       T1003 OS Credential Dumping

o   Credential theft activity

Discovery

·       T1083 File and Directory Discovery

o   Identify valuable data stores/shares

·       T1482 Domain Trust Discovery

o   Domain enumeration

Lateral Movement

·       T1021.001 Remote Services

o   RDP movement

·       T1021.002 SMB/Windows Admin Shares

o   Share-based movement

·       T1569.002 System Services

o   Service execution (PsExec-like)

Collection/Staging

·       T1560 Archive Collected Data

o   WinRAR/7z staging

EXFILTRATION

·       T1567.002 Exfiltration to Cloud Storage/Web Services

o   Rclone-based transfer

Impact

·       T1486 Data Encrypted for Impact

o   Ransomware encryption

·       T1490 Inhibit System Recovery

o   Shadow copy deletion

CVEs

·       There have been no CVEs associated with this breach at this time

Nessus ID

·       There have been no CVEs associated with this breach at this time

KEV Catalog

·       There have been no CVEs associated with this breach at this time

Mitigation

·       Enforce phishing-resistant MFA for VPN/RDP/admin portals

·       Rotate credentials and monitor for new admin/service accounts

·       Disable direct internet RDP; restrict SMB lateral movement

·       Ensure immutable/offline backups; test restores

·       Alert on vssadmin/wmic shadow deletion commands

·       Monitor outbound transfers for Rclone/FileZilla activity

PATCH RELEASE DATE/URL

·       There have been no CVEs associated with this breach at this time

Malware names

·       SafePay ransomware

Malware Family

·       SafePay

o   Double extortion ransomware

o   Similarities noted to LockBit builder lineage

sha256

wInword.exe

625abbf876f256662f33a88c122bf787edf74b882c35adbd61562b5bd1b2ac27

SafePay

a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526

Known Decoding Key

-No reliable public decryptor/universal key documented for SafePay as of latest sources.

Verdict

·       High confidence ransomware + data theft (double extortion) consistent with SafePay activity

o   High impact due to sensitive PII/PHI and scale.

Primary objectives

·       Data theft for extortion leverage

·       Service disruption + encryption for ransom

Behavior analysis

·       Remote access logons spike (VPN/RDP)

·       Recon/share enumeration

·       Credential dumping + privilege escalation

·       Staging archives (RAR/7z) and bulk egress (Rclone/FileZilla)

·       Disable defenses, stop services, delete shadow copies

·       Encrypt data and drop ransom note (readme_safepay.txt) with .safepay extension

SUGGESTED RULES / HUNTS

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

SURICATA

Detect RClone user-agent

Possible exfiltration tool usage

·       Purpose: Identify outbound HTTP traffic where the User-Agent string matches rclone, often used for bulk data theft.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"POSSIBLE EXFIL - Rclone User-Agent"; flow:established,to_server; http.user_agent; content:"rclone/"; nocase; classtype:trojan-activity; sid:9901001; rev:1;)

Detect mega cloud storage TLS SNI

Possible exfil destination

·       Purpose: Alert on encrypted outbound sessions where the TLS Server Name indicates Mega, a common ransomware exfil site.

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"POSSIBLE EXFIL - TLS SNI contains mega"; flow:established,to_server; tls.sni; content:"mega"; nocase; classtype:trojan-activity; sid:9901002; rev:1;)

Detect SMB SVCCTL pipe activity

Lateral movement via service control

·       Purpose: Identify SMB named pipe access to svcctl, often linked to PsExec/service-based lateral movement.

alert smb $HOME_NET any -> $HOME_NET any (msg:"LATERAL MOVEMENT - SMB svcctl pipe"; flow:established,to_server; content:"\\PIPE\\svcctl"; nocase; classtype:attempted-admin; sid:9901003; rev:1;)

SentinelOne

Detect shadow copy deletion

Inhibit Recovery

·       Catch ransomware pre-encryption activity where attackers delete backups/shadow copies

EventType="Process Creation" AND (CommandLine contains "vssadmin delete shadows" OR CommandLine contains "wmic shadowcopy delete" OR CommandLine contains "wbadmin delete catalog")

DETECT EXFILTRATION TOOL EXECUTION

Rclone/Filezilla

·       Purpose: Identify execution of common file transfer utilities used for staging or exfiltration.

EventType="Process Creation" AND (ImagePath endswith "\\rclone.exe" OR ImagePath endswith "\\filezilla.exe")

Detect lolbin regsvr32 suspicious internet execution

·       Purpose: Flag abuse of regsvr32 for stealthy script execution or payload retrieval.

EventType="Process Creation" AND ImagePath endswith "\\regsvr32.exe" AND (CommandLine contains "/i:" OR CommandLine contains "http")

Detect mass File rename to .safepay

Encryption indicator

·       Purpose: Detect ransomware impact stage where files are renamed with SafePay extension.

EventType="File Rename" AND TargetFileName endswith ".safepay"

SPLUNK

Detect abnormal RDP logon bursts

Valid account misuse

Purpose: Identify suspicious spikes in remote logons which may indicate compromised credentials.

index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 LogonType=10

| stats count dc(AccountName) as uniq_users values(AccountName) as users by src_ip, host

| where count>20 OR uniq_users>5

Detect shadow copy deletion commands

Ransomware precursor

Purpose: Alert on commands used to remove recovery mechanisms.

index=sysmon EventCode=1

| search (CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*" OR CommandLine="*wbadmin*delete*catalog*")

| stats earliest(_time) as first latest(_time) as last values(host) as hosts values(User) as users values(CommandLine) as cmds

Detect sevice installation events

PSexec/Lateral movement

Purpose: Identify new service creation often used for remote execution across hosts.

(index=wineventlog sourcetype=WinEventLog:System EventCode=7045)

OR (index=sysmon EventCode=6)

| stats count values(ServiceName) as svc values(ImagePath) as img by host, user

| where count > 3

Detect archiving bursts

Data staging before exfiltration

Purpose: Identify excessive use of rar/7z utilities for compressing stolen data.

index=sysmon EventCode=1

| search (Image="*\\rar.exe" OR Image="*\\winrar.exe" OR Image="*\\7z.exe")

| stats count values(CommandLine) as cmd by host, user

| where count > 10

DELIVERY METHODS

·       Compromised VPN/RDP credentials (valid accounts)

·       General ransomware ecosystem phishing/social engineering possible, but Conduent-specific lures not publicly detailed.

References

SEC Gov

·       hxxps://www.sec.gov/Archives/edgar/data/1677703/000167770325000067/cndt-20250409.htm

Security Week

·       hxxps://www.securityweek.com/millions-impacted-by-conduent-data-breach/

Toms Guide

·       hxxps://www.tomsguide.com/computing/online-security/massive-government-tech-data-breach-expands-to-more-than-25-million-more-americans-a-year-after-it-was-discovered

Black Point Cyber

·       hxxps://blackpointcyber.com/wp-content/uploads/2025/11/SafePay.pdf

Huntress

·       hxxps://www.huntress.com/blog/its-not-safe-to-pay-safepay

VirusTotal

·       hxxps://www.virustotal.com/gui/file/625abbf876f256662f33a88c122bf787edf74b882c35adbd61562b5bd1b2ac27/details

·       https://www.virustotal.com/gui/file/625abbf876f256662f33a88c122bf787edf74b882c35adbd61562b5bd1b2ac27