SafePay, an emerging ransomware group, has rapidly ascended from obscurity to notoriety in 2025. In June alone, the group claimed responsibility for attacks on 73 organizations, topping Bitdefender’s Threat Debrief rankings for the month.
July saw another surge, with 42 victims added to its toll. With more than 270 claimed victims to date this year, SafePay’s clandestine methods and rejection of the ransomware-as-a-service (RaaS) model mark it as a uniquely dangerous actor in the cyber-crime ecosystem.
SafePay first appeared in September 2024, shortly after global law enforcement disrupted the ALPHV (BlackCat) operation and seized LockBit infrastructure during Operation Cronos.
Initial forensic analysis revealed code similarities between SafePay and LockBit Black, particularly the use of the ChaCha20 encryption algorithm.
However, SafePay diverges in key respects: it generates a unique symmetric key for each file and embeds a master key within the ransomware, whereas LockBit affiliates use a shared key management approach.
SafePay also forgoes the affiliate model entirely, retaining full control over its operations and profits.
Unlike LockBit and many other ransomware groups, SafePay does not advertise an affiliate program or engage third-party operators.
Its sole public presence is a data leak site that lists victims after encryption. By eschewing an open-source ecosystem, SafePay minimizes the risk of code leaks, infrastructure exposure, and insider betrayals.
This closed model also allows the group to pocket 100 percent of ransom payments, potentially explaining its ability to demand high-value payouts.
Victimology
SafePay victims span mid-size and enterprise organizations across the United States, Germany, Great Britain, and Canada. Industries targeted include manufacturing, healthcare, construction, education, research, government, and technology services.
These sectors are particularly vulnerable to availability disruptions, increasing the likelihood that victims will acquiesce to ransom demands to avoid operational downtime and reputational damage.
Revenue profiles of targeted organizations typically hover just above USD 5 million, although outliers include ten companies with revenues exceeding USD 100 million and one colossal victim reporting over USD 40 billion in earnings. Regardless of size, victims face swift encryption: SafePay transitions from initial access to full encryption within 24 hours or less.
SafePay’s signature tactic involves blitz attacks, publishing batches of 10 or more victims in a single day.
On November 20, 2024, it listed 23 organizations; on March 30, 2025, it set a personal record with 29.
While top RaaS groups such as Qilin and Akira have also unleashed rapid-fire campaigns—Qilin’s peak was 19 victims in one day on June 12, 2025, while Akira reached 32 victims on April 6, 2025—SafePay’s non-affiliate model rivals and sometimes surpasses these numbers.
However, the median revenue of organizations that fall victim to SafePay’s attacks has been rather consistent over the past four months, with many reported victim organizations having revenues at or just above the $5 million range.
Experts attribute this pattern to targeted reconnaissance using legitimate tools like ShareFinder.ps1 (Invoke-ShareFinder), repurposed to locate valuable network shares swiftly.
Exploitation of known vulnerabilities and living-off-the-land techniques further accelerates SafePay’s infiltration and execution.
SafePay’s data leak site debuted in November 2024 and recently adopted the tagline: “© Not everyone can survive the violence of creation.”
This phrase comes from the British theater production Strange Factories, hinting at possible UK connections among group members.
Moreover, SafePay’s ransomware checks for Cyrillic keyboard layouts, refusing to execute on systems where Cyrillic is enabled—suggesting a deliberate avoidance of Russian targets or alliances with Russian-speaking entities.
Tactics, Techniques, and Procedures
SafePay’s kill chain includes:
- Initial Access: Credential brute-forcing, VPN appliance exploitation, and social engineering via IT-impersonation.
- Discovery: Deployment of scripts like ShareFinder for network share enumeration.
- Lateral Movement: Use of PsExec and RMM tools.
- Exfiltration: Compression with WinRAR and data transfer via FileZilla.
- Ransomware Deployment: Shadow copy deletion, encryption with a .safepay extension, and delivery of the
readme_safepay.txtransom note. - Defense Evasion: Anti-debugger detection and termination of security processes.
Victims receive a unique ID for decryption negotiations and have ten days to pay in Bitcoin before their data is publicly leaked.
Mitigations
Security teams are urged to adopt a multi-layered defense combining prevention, protection, detection, and response:
- Enforce Multi-Factor Authentication for all access.
- Regularly update and patch VPN appliances and critical infrastructure.
- Implement rigorous password policies.
- Leverage advanced threat intelligence platforms such as Bitdefender IntelliZone.
- Employ continuous monitoring with incident investigation and forensics capabilities.
- Harden systems using behavioral-analysis tools like GravityZone PHASR to reduce attack surfaces.
As SafePay continues its aggressive campaign, organizations must bolster resilience and preparedness to counter this rapidly evolving ransomware threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
