Is SafePay Ransomware Safe?

Who is Safepay Ransomware?

Safepay is a newcomer to the ransomware landscape. Since its first published attack in October 2024, the group has attacked over 50 organizations worldwide.

SafePay maintains a dark web blog and a presence on the TON network for victim communications. The group employs the increasingly common double extortion model, combining data encryption with the theft of sensitive information to pressure victims into payment.

Who are they targeting?

Safepay has targeted various organizations across multiple sectors, mainly business services, retail, education, and manufacturing. The most targeted country is the United States, where Singapore, Canada, and Australia are located at the top of that list, after the USA.

In one of the Safepay attacks, the ransomware gang claimed responsibility for the attack on a UK business. SafePay claimed to have stolen 1.2 TB.

Who are Safepay Ransomware’s most recent victims?

On April 16, the Safepay ransomware operation attacked and published 11 new victims on their official DLS. Out of all eleven victims, 8 are from Germany, therefore organizations in Germany should fortify their defenses against the ransomware group and its TTPs.

The victims are from various industries such as: Business services, Construction, Manufacturing, Transportation and Government.

Malware, Toolset, and TTPs

SafePay ransomware represents a sophisticated and evolving threat, leveraging advanced techniques and tools to infiltrate networks and encrypt critical files. This ransomware operates with a multi-stage attack methodology, often beginning with access via Remote Desktop Protocol (RDP). Attackers use Living Off the Land Binaries (LOLBins) to disable security measures like Windows Defender, execute malicious PowerShell scripts, and prepare systems for ransomware deployment. Tools such as WinRAR and FileZilla are used to archive and potentially exfiltrate data, highlighting the group’s focus on both encryption and data theft.

Once deployed, SafePay ransomware employs robust encryption mechanisms, appending the .safepay extension to encrypted files and leaving behind ransom notes to coerce payment. The malware disables recovery options, deletes shadow copies, and uses commands like bcdedit to prevent system restores, increasing the difficulty of recovery without paying the ransom. Its use of a Cyrillic kill switch to avoid targeting systems in certain Eastern European regions indicates strategic targeting, while its modular design—featuring functions for privilege escalation, UAC bypass, and network propagation—demonstrates its sophistication.

Similar to earlier ransomware strains like LockBit, SafePay exploits leaked source codes and adapts its techniques for maximum impact. The combination of data exfiltration, encryption, and strategic obfuscation makes it a dangerous and adaptable ransomware threat, emphasizing the need for proactive defenses such as robust endpoint monitoring, regular patching, and strong access controls.

Origin and Affiliates

So far, the group’s members remained undisclosed.