SafePay Ransomware Uses RDP and VPN Access to Infiltrate Organizational Networks

SafePay ransomware has become one of the most active and destructive threat actors in Q1 2025, a shocking development in the cybersecurity scene.

According to the Acronis Threat Research Unit (TRU), SafePay has aggressively targeted over 200 victims worldwide, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across diverse industries.

Unlike many ransomware groups that operate under a ransomware-as-a-service (RaaS) model with affiliates, SafePay maintains centralized control over its operations, infrastructure, and negotiations.

A Rapid Rise to Infamy in Q1 2025

This strategic approach, combined with recycled yet highly effective tactics, has enabled the group to execute devastating attacks, such as the recent disruption of Ingram Micro, a global distributor serving thousands of partners and MSPs.

SafePay’s rapid ascent and sophisticated methods highlight a growing challenge for organizations striving to protect their networks from such insidious threats.

SafePay, first identified in 2024 with over 20 victims in its debut year, bears striking similarities to the infamous LockBit ransomware family, particularly LockBit 3.0 (also known as LockBit Black), whose source code was leaked in 2022.

Analysis by TRU reveals that SafePay samples, identified as PE32 DLL files with fake compilation timestamps, share multiple traits with LockBit, including encoded strings, dynamic resolution of WinAPI addresses during execution, and the use of dummy functions with sequential API calls that serve no practical purpose but complicate analysis.

Additionally, SafePay employs tactics such as requiring a password for full execution, abusing the CMSTPLUA COM interface for privilege escalation, and setting the ‘ThreadHideFromDebugger’ flag on threads to evade debugging.

Technical Sophistication

The ransomware targets specific system languages for avoidance and terminates critical processes and services like SQL, Veeam, and Sophos to disable defenses.

SafePay infiltrates networks through RDP and VPN connections, leveraging stolen credentials to disable endpoint protection (like Windows Defender), delete shadow copies, and clear logs to suppress detection.

Using tools like the open-source ShareFinder.ps1 script, attackers identify network shares, collect sensitive data with WinRAR, and exfiltrate it via FileZilla before encryption with a potent AES-RSA combination, renaming files with a ‘.safepay’ extension.

This double-extortion strategy data theft followed by encryption amplifies pressure on victims to pay ransoms.

SafePay’s encryption process is meticulous, involving XOR-based string decryption with multiple keys, dynamic library loading (e.g., advapi32.dll, ntdll.dll), and argument parsing for customizable execution options like encryption percentage and network drive targeting.

The ransomware also establishes persistence by modifying the Windows registry to execute on startup and uses commands to delete backups and disable recovery options, ensuring victims have limited recourse.

With a focus on removable and fixed drives, SafePay systematically encrypts files while employing multithreaded operations for efficiency, making it a formidable adversary in the ransomware domain.

Organizations are urged to bolster their defenses against RDP and VPN-based intrusions and monitor for these indicators to mitigate the risk posed by SafePay.

Indicators of Compromise (IoCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.