A new ransomware threat has emerged as one of 2025’s most prolific cybercriminal operations, with SafePay ransomware claiming attacks against 73 victim organizations in June alone, followed by 42 additional victims in July.
This surge has positioned SafePay as a significant threat actor that security teams worldwide must understand and prepare to defend against.
Unlike traditional ransomware-as-a-service (RaaS) models that rely on affiliate networks, SafePay operates as a closed, independent group that maintains strict operational security.
The group’s rapid-fire attack methodology has proven remarkably effective, with more than 270 claimed victims documented throughout 2025.
Their operations target primarily mid-size and enterprise organizations across the United States, Germany, Great Britain, and Canada, focusing on industries critical to daily operations including manufacturing, healthcare, and construction.
.webp "SafePay Ransomware Claiming Attacks Over 73 Victim Organizations in a Single Month 3")
The group’s emergence can be traced back to September 2024, arising in the aftermath of significant law enforcement operations that dismantled ALPHV (Black Cat) and severely disrupted LockBit’s infrastructure through Operation Cronos.
Bitdefender analysts identified parts of the SafePay ransomware that complement functionalities associated with LockBit, specifically LockBit Black, though the groups operate with distinctly different methodologies and encryption processes.
SafePay demonstrates an alarming capability to execute complete attack chains within 24-hour periods, moving from initial access through encryption with devastating efficiency.
.webp "SafePay Ransomware Claiming Attacks Over 73 Victim Organizations in a Single Month 4")
Their victim selection appears methodical, targeting organizations with revenues typically around $5 million, though outliers include entities with revenues exceeding $100 million and one victim surpassing $40 billion in revenue.
Encryption and Evasion Mechanisms
SafePay employs sophisticated technical approaches that distinguish it from other ransomware families.
The malware utilizes the ChaCha20 encryption algorithm, implementing unique symmetric keys for each encrypted file while embedding additional keys directly within the ransomware executable.
This dual-key approach complicates recovery efforts and ensures that each victim’s encryption remains uniquely secured.
The ransomware demonstrates advanced defense evasion capabilities, including debugger detection avoidance and the ability to terminate processes associated with anti-malware functions.
Upon execution, SafePay immediately begins removing volume shadow copies to prevent system restoration, then proceeds to encrypt files with the .safepay extension while deploying ransom notes named “readme_safepay.txt” in affected directories.
One notable technical characteristic involves the malware’s geographic targeting logic.
SafePay performs language keyboard detection to identify systems using Cyrillic keyboards, preventing execution on these systems, suggesting potential Russian connections or alliances within the threat actor ecosystem.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
