Ransomware groups continue to evolve their tactics, but few have made as sharp an impact in 2025 as SafePay. Once a lesser-known player, the group has surged into prominence by quietly amassing hundreds of victims across the globe. In June, SafePay topped Bitdefender’s Threat Debrief rankings after claiming 73 victim organizations in a single month, and the group followed up with 42 more victims in July—its second-highest monthly tally to date.

With more than 270 claimed victims so far this year, SafePay’s discreet operations, rejection of the ransomware-as-a-service (RaaS) model, and rapid-fire victim disclosures signal a significant threat that security researchers and teams should understand. 

An Adversary Rises in LockBit’s Shadow

When tracing SafePay’s origins back to September 2024, researchers identified parts of the SafePay ransomware that complement functionalities associated with LockBit, specifically LockBit Black. SafePay’s first attacks occurred more than six months after a coordinated law enforcement effort dismantled the group ALPHV, also known as Black Cat. SafePay’s operations also took shape several months after the seizure of LockBit’s infrastructure, which resulted from Operation Cronos in 2024. However, there is strong evidence to support that SafePay is a group that operates independently of LockBit staff and collaborators. This evidence includes the striking differences in each group’s operational models and their encryption processes.

LockBit supports a more open means of operation, using a RaaS model to grow their affiliates. This differs from SafePay’s practices of remaining closed and executing attacks on their own. Additionally, the encryption characteristics associated with SafePay differ from those associated with LockBit.

While both groups make use of the ChaCha20 algorithm to encrypt files, SafePay implements, creates, and secures encryption keys, employing both a unique symmetric key for each encrypted file and a key embedded in the ransomware.  

No Affiliate Support: Stronger OPSEC and More Money 

It is important to note that SafePay’s operations are highly discreet. Excluding a data leak site (DLS) that names victims, there is no evidence of an external forum or community that enables the group to broaden its interactions beyond victim contact. There appears to be no correspondence with the public or other threat actors and potential recruits.  

SafePay insists that they are not a group that operates within the context of RaaS, and they make a declaration about this that appears on their data leak site.

SafePay does not market their ransomware to other criminals or advertise an affiliate program. These actions mitigate OPSEC (operational security) risks, such as code and infrastructure leaks, and other challenges that may arise from filling recurring staffing needs. It also means that SafePay can keep their profits rather than dividing them amongst affiliates or other entities that operate on their behalf.

Victimology  

The countries that make up a large percentage of SafePay’s victim demographics are the United States, Germany, Great Britain, and Canada. SafePay conducts attacks against mid-size and enterprise organizations, including those with wide networks of partners and clients. This is likely part of a strategic effort to heighten the pressure felt by victims to pay the ransom in order to prevent further damage to their organizational assets and reputation. 

When analyzing the types of industries that have fallen victim to SafePay’s attacks, three industries within the top 10 are ideal targets for threat actors to disrupt operations, as they are highly prone to breaches of availability. These three industries include manufacturing, healthcare, and construction. In addition, SafePay also targets organizations in education and research, as well as government, along with those in technology, including IT support providers with multiple verticals in their service chain.  

Reports of SafePay incidents often cite large ransoms and a rapid succession of attacks, switching from the initial access phase to encryption within a 24-hour period or less. 

Ransom amounts considered high or outrageous, however, are subjective, and those amounts vary due to nuances such as the revenue of the targeted organization and its assets. SafePay is a group that is methodical in identifying the organizations of interest and posting the revenue of victims using data obtained via OSINT or other sources such as stolen files.   

Some outliers are present when examining the revenue of past SafePay victims. These outliers include at least ten organizations with revenues exceeding $100 million in recent months and a victim that had revenue surpassing $40 billion. However, the median revenue of organizations that fall victim to SafePay’s attacks has been rather consistent over the past four months, with many reported victim organizations having revenues at or just above the $5 million range.

Victim Trends – The 24 Hour Attack Blitz 

One hallmark in SafePay’s behavior is their tendency to publish multiple victims, surpassing 10 victims on numerous days, within 24-hours. In one case, SafePay claimed 23 victims in a day on November 20, 2024.  

While SafePay’s victims per day would decline in December 2024, a similar pattern of claiming more than 10 victims in a day reappears in March 2025 and continues into July. At the time of this release, SafePay claimed their greatest number of victims per day on March 30, claiming a total of 29 victims. 

SafePay’s Victims Claimed Per Day: A Comparison with Top RaaS Groups 

When compared to a 2025 top ransomware group like Qilin, who notably has an affiliate program, SafePay has surprisingly held its own even though it is a non-Raas group. SafePay’s greatest number of victims claimed in one day (29) exceeds Qilin’s 19 victims claimed on  June 12, 2025. 

Akira, another 2025 top ransomware group, has made waves in the security community for their exploitation of CVEs and evolving evasion techniques. This year Akira narrowly surpassed SafePay’s 29 victims claimed in one day by claiming 32 victims on April 6, 2025.

Events Driving the 24-Hour Pattern of Attack 

It is essential to understand the types of events that can lead to an increase in daily attacks. Potential factors include acts of revictimization, selling victim data to other parties, and exploiting vulnerabilities, such as zero-day and known flaws. Could acts of revictimization or data brokering to multiple parties contribute to this pattern of SafePay engaging in these one-day sprints?

At the time of this publication, there is no indication that SafePay engages in acts of revictimization or targeting organizations that have already fallen victim to other ransomware groups, to claim additional victims. Additionally, no marketplace is currently in use to promote the sale of stolen victim data connected to SafePay’s operations. 

When taking the pattern of more than ten victims being published in one day into consideration, it is reasonable to expect that SafePay is identifying soft targets with significant weaknesses in their infrastructure, and this combined with the use of known vulnerabilities and Living off the Land attacks are most likely pivotal to their ability to infiltrate victim networks. One tool identified in SafePay’s pursuits is ShareFinder.ps1. This script and the relevant command (Invoke-ShareFinder) are legitimate, however, they’ve been repurposed to hunt for shares that may contain critical data or pivot to a location to execute a malicious payload.  

SafePay’s Data Leak Site and Geographic Attribution  

SafePay’s data leak site emerged in November 2024. Recently updated, it features an interesting tagline: © Not everyone can survive the violence of creation.

This quote originates from a British theater show called Strange Factories, released by the company Foolish People. The show is not widely known outside of the United Kingdom, so while the mention is interesting and could suggest that some SafePay staff have knowledge of a niche subset of British media, no further connections to link SafePay to the United Kingdom are readily apparent. 

While the geographic region tied to SafePay’s operations is not yet known, there are developing theories surrounding where the group might be based.

SafePay employs multiple techniques to identify if its ransomware can execute on a system. One of these techniques involves identifying the language keyboard that is enabled on the target system. If the language keyboard detected is Cyrillic, then the ransomware is prevented from executing. This suggests that Russian entities are either involved with or allies of SafePay.   

The SafePay logo featured on the site bears a resemblance to Illuminati iconography. Entries on past victims remain available on the site. SafePay’s data leak site also features a Contact Us page that allows the visitor to enter their company name, email address, and message.

Tactics, Techniques, and Procedures 

The information provided below includes the TTPs that are central to SafePay’s attacks.  

Initial Access 

SafePay typically establishes initial access to victim networks via credential exposure, brute-force password attacks, or exploiting weaknesses in VPN appliances. The group has also engaged in social engineering tactics similar to other groups, like Black Basta, to impersonate IT staff and load other tools like RMMs. Following initial access, SafePay performs discovery processes by executing scripts like ShareFinder to identify network shares and other storage connected to the domain of the victim. 

Lateral Movement 

SafePay leverages tools like PsExec to establish lateral movement, connecting to other targets before moving on to exfiltration and execution.  

Exfiltration 

The group targets files that are likely to be valuable based on attributes such as file extensions and file names. Targets that may yield the most returns for them include invoices and financial data, intellectual property and patents, as well as stored credentials and client lists. SafePay often uses tools, including the archiving program WinRAR, to compress and secure victim data before exfiltration using FileZilla. 

Ransomware Deployment  

Once the ransomware executes, the process to remove volume shadow starts. The .safepay extension replaces extensions on affected files. And, the ransom note named readme_safepay.txt is added to affected directories.  

Victims may contact SafePay via their Tor link for more information on submitting a Bitcoin payment and restoring access to their infrastructure. In the ransom note, SafePay provides the victim with a unique ID to create a request for decryption support. The victim must contact SafePay within 10 days, or SafePay will leak their data. An excerpt of the ransomware note is included below. 

SafePay Ransom Note 

Greetings! Your corporate network was attacked by SafePay team. 

Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you. 

It was the misconfiguration of your network that allowed our experts to attack you, so treat this situation as simply as a paid training session for your system administrators. 

We’ve spent the time analyzing your data, including all the sensitive and confidential information. As a result, all files of importance have been encrypted and the ones of most interest to us have been stolen and are now stored on a secure server for further exploitation and publication on the Web with an open access. 

Now we are in possession of your files such as: financial statements, intellectual property, accounting records, lawsuits and complaints, personnel and customer files, as well as files containing information on bank details, transactions and other internal documentation. 

Furthermore we successfully blocked most of the servers that are of vital importance to you, however upon reaching an agreement, we will unlock them as soon as possible and your employees will be able to resume their daily duties. 

We are suggesting a mutually beneficial solution to that issue. You submit a payment to us and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data. WE ARE THE ONES WHO CAN CORRECTLY DECRYPT YOUR DATA AND RESTORE YOUR INFRASTRUCTURE IN A SHORT TIME. DO NOT TRY TO DECRYPT YOUR FILES YOURSELF, YOU WILL NOT BE ABLE TO DO THIS, YOU WILL ONLY DAMAGE THEM AND WE WILL NOT BE ABLE TO RESTORE THEM. 

In the event of an agreement, our reputation is a guarantee that all conditions will be fulfilled. No one will ever negotiate with us later on if we don't fulfill our part and we recognise that clearly! We are not a politically motivated group and want nothing more than money. Provided you pay, we will honour all the terms we agreed to during the negotiation process. 

Defense Evasion 

The SafePay ransomware is equipped with defense evasion capabilities, including the ability to evade debugger detection. It can also terminate processes associated with anti-malware functions. 

Ransomware Mitigation Practices 

A multi-layered security approach that combines Prevention, Protection, Detection, and Response security measures is essential to mitigate ransomware risk and develop a mature security posture.   

Implement MFA to ensure that platforms with both admin and user privileges are secured.   

Regularly update passwords and enforce a complex password policy to protect systems against repeated attacks.  

Assess software, patching it to ensure it is current, as out-of-date versions are identified.  

Utilize Advanced Threat Intelligence: The right threat intelligence solution can provide critical insights about attacks. Bitdefender IntelliZone consolidates the knowledge we’ve gathered on cyber threats and the associated threat actors into a single console for security analysts to leverage. If you have an IntelliZone account, you can find additional structured information under the following Threat IDs: BDjipcx09m and BDaxvn7xzr 

Detection practices that include Incident Investigation and Forensics and Threat Response, aid organizations in maintaining continuous practices to identify activities and IOCs to investigate along with measures to respond to events and incidents as they occur.  

Understanding how legitimate binaries can be abused in your environment and the risk profile that encompasses your unique users and assets is a crucial step to building a proactive defense strategy. Bitdefender GravityZone PHASR (Proactive Hardening and Attack Surface Reduction) technology combines machine learning with behavioral analysis to identify attack vectors and implement actionable, customized recommendations to reduce the attack surface. 

Indicators of Compromise 

The following indicators are markers for the SafePay ransomware executable and note.