SafePay is a centralized ransomware operation that emerged in late 2024 and became one of the most active threat groups globally by mid-2025, with over 400 claimed victims as of early 2026. The group uses a double extortion model, exfiltrating sensitive data before encrypting systems, and has been observed completing the full attack chain, from initial access to encryption, in under 24 hours. Its primary targets are small and mid-sized businesses, managed service providers, and organizations with large downstream partner networks across the United States and Western Europe.
What is SafePay ransomware?
Origins and operational model
SafePay first appeared in September-October 2024, after law enforcement actions against LockBit (Operation Cronos) and ALPHV/BlackCat fragmented the ransomware ecosystem, creating opportunities for new operators.
Unlike most ransomware operations that rely on affiliate networks, SafePay operates as a closed, centrally managed organization. The group does not use a Ransomware-as-a-Service (RaaS) model, a structure in which developers recruit affiliates to carry out attacks in exchange for a share of profits. Instead, SafePay develops its own encryptor, manages its own infrastructure, and conducts negotiations directly. The group maintains negotiation and communication infrastructure on both Tor and The Open Network (TON).
This model produces consistent tactics across incidents (an advantage for defenders building detection rules), but it reduces the operational footprint available to investigators. The group’s tactics closely resemble those historically associated with the Conti ransomware operation, including social engineering via phone calls, targeting of ESXi, and operational similarities. This resemblance, combined with SafePay’s rapid scaling, suggests involvement of experienced operators from previously disbanded collectives.
Who SafePay targets
SafePay scaled rapidly through 2025, reaching peak activity by mid-year when it briefly became the most active ransomware operation globally. The United States is the primary target, followed by Germany and the United Kingdom.
Victim data from leak-site disclosures suggests deliberate sector selection rather than opportunistic scanning. The majority of victims are service-based organizations, with technology, manufacturing, healthcare, legal, financial services, and education also represented. The overwhelming majority are small or mid-sized businesses. The group also targets managed service providers (MSPs) and IT distributors, where a single compromise cascades to hundreds of downstream partners.
Code heritage and technical profile
Technical analysis of the ransomware binary has identified significant code overlap with leaked LockBit 3.0 (also known as LockBit Black) source code from 2022, as well as elements resembling ALPHV/BlackCat and INC Ransom. However, the encryptor was substantially reworked, rather than built directly from the leaked code. Early samples contained a kill switch that terminated execution on systems with Cyrillic-based locale or keyboard settings, an OPSEC practice commonly associated with CIS-region threat actors. This check was removed in later variants.
How a SafePay attack unfolds
The phases below map the intrusion lifecycle in the order defenders typically observe it during an active incident.
Initial access
SafePay gains entry through stolen or exposed credentials, and in some cases through brute-force or password spraying attacks. These credentials are used to authenticate to VPN gateways where MFA was absent or ineffective due to configuration gaps, with FortiGate appliances observed in multiple incidents. Exposed Remote Desktop Protocol (RDP) endpoints are also targeted. SafePay has also employed social engineering: flooding targets with thousands of spam emails, then calling them on Microsoft Teams, posing as IT support staff, to gain remote access via Quick Assist.
Discovery and privilege escalation
Once inside, SafePay establishes persistence via registry Run keys and, in some cases, installation of remote monitoring tools such as ConnectWise ScreenConnect or the QDoor backdoor. The operators then enumerate the network using ShareFinder.ps1, a PowerShell script that maps accessible SMB shares and locates high-value targets. Credential harvesting follows, using credential-dumping tools to extract password hashes and other cached credentials. Privilege escalation is achieved through UAC bypass, specifically abusing the CMSTPLUA COM interface, and token impersonation.
Defense evasion and lateral movement
This phase is where the attack becomes visible to well-instrumented defenders. SafePay disables or tampers with Windows Defender using PowerShell commands and LOLBins (living-off-the-land binaries: legitimate system tools repurposed for malicious activity). The ransomware terminates processes and services that could interfere with encryption or exfiltration, including database engines (SQL Server, Oracle), email servers (Microsoft Exchange), backup solutions (Veeam), and endpoint protection products (Sophos). The Volume Shadow Copy service is stopped, and all shadow copies and third-party backup files are deleted. Boot configuration is modified via bcdedit to disable Windows Recovery, and event logs are cleared to hinder forensic analysis. In some incidents, operators have also changed all administrator passwords, locking the victim out of their own infrastructure before encryption begins.
Lateral movement relies on RDP sessions, PsExec, WinRM, and administrative shares. Ransomware payloads are copied to target systems and executed remotely, enabling near-simultaneous deployment across the environment.
Data exfiltration
SafePay archives sensitive data with WinRAR or 7-Zip and exfiltrates it via FileZilla, Rclone, or, as reported in some smaller-scale incidents, the RDP clipboard. The attackers often uninstall exfiltration tools after use to reduce forensic traces. Exfiltration volumes can reach several terabytes, providing leverage for extortion. If the victim refuses to pay, stolen data is published on the group’s leak site.
Encryption
The ransomware binary is a PE32 DLL file executed via regsvr32.exe (or in some cases rundll32.exe) with a mandatory -pass= argument that decodes embedded configuration data. Encryption uses ChaCha20 or AES, depending on the target system’s hardware capabilities, with per-file keys protected through asymmetric cryptography. The binary supports intermittent encryption, encrypting only a portion of each file’s data blocks to accelerate the process and complete before defenses can react. Affected files receive the .safepay extension. In environments running VMware ESXi, SafePay targets the hypervisor, rendering all hosted virtual machines inoperable.
A ransom note titled readme_safepay.txt directs victims to a Tor-based negotiation portal. Ransom demands have been reported at 1-3% of the victim’s estimated annual revenue. The binary’s modular design allows operators to configure targeting parameters via command-line arguments, including specific drives and self-deletion after execution.
Greetings! Your corporate network was attacked by SafePay team.
Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you.
It was the misconfiguration of your network that allowed our experts to attack you, so treat this situation as simply as a paid training session for your system administrators.
We ve spent the time analyzing your data, including all the sensitive and confidential information. As a result, all files of importance have been encrypted and the ones of most interest to us have been stolen and are now stored on a secure server for further exploitation and publication on the Web with an open access.
Now we are in possession of your files such as: financial statements, intellectual property, accounting records, lawsuits and complaints, personnel and customer files, as well as files containing information on bank details, transactions and other internal documentation.
Furthermore we successfully blocked most of the servers that are of vital importance to you, however upon reaching an agreement, we will unlock them as soon as possible and your employees will be able to resume their daily duties.
We are suggesting a mutually beneficial solution to that issue. You submit a payment to us and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data. WE ARE THE ONES WHO CAN CORRECTLY DECRYPT YOUR DATA AND RESTORE YOUR INFRASTRUCTURE IN A SHORT TIME. DO NOT TRY TO DECRYPT YOUR FILES YOURSELF, YOU WILL NOT BE ABLE TO DO THIS, YOU WILL ONLY DAMAGE THEM AND WE WILL NOT BE ABLE TO RESTORE THEM.
In the event of an agreement, our reputation is a guarantee that all conditions will be fulfilled. No one will ever negotiate with us later on if we don’t fulfill our part and we recognise that clearly! We are not a politically motivated group and want nothing more than money. Provided you pay, we will honour all the terms we agreed to during the negotiation process.
In order to contact us, please use chat below, you have 10 days to contact us, after this time a blog post will be made with a timer for 3 days before the data is published and you will no longer be able to contact us.
To contact us follow the instructions:
Install and run Tor Browser from https://www.torproject.org/download/
Go to http://**********************.onion
Reserve Link: http://**********************.onion
Log in with ID: ************
Contact and wait for a reply, we guarantee that we will reply as soon as possible, and we will explain everything to you once again in more detail.
Our blog:
http://*************************.onion
http://*************************.onion
Our TON blog:
tonsite://*******.ton
You can connect through your Telegramm account.
Real-world impact
The Ingram Micro ransomware attack in July 2025 resulted in a week-long disruption to core platforms, affecting order processing and licensing across regions. With a customer base of over 160,000 organizations and annual net sales of $48 billion, analysts estimate that each day of downtime costs approximately $136 million in lost revenue. Beyond the operational impact, the personal data of 42,521 individuals was compromised, including Social Security numbers, passport numbers, and employment records. The company faced criticism from partners for delayed communication during the outage.
In January 2025, Conduent, a major business process services provider, disclosed a breach that took systems offline for several days, disrupting payment processing and mailroom services for government agencies and healthcare organizations. The resulting data breach compromised information belonging to over 25 million individuals. Notifications to affected individuals began roughly nine months after the breach was discovered, and the number of confirmed victims continues to grow as the audit progresses. Affected parties include employees of Volvo Group, members of Premera Blue Cross and Humana, and policyholders across multiple Blue Cross Blue Shield branches.
In October 2024, an attack on UK telematics provider Microlise disabled fleet tracking for DHL and temporarily disabled tracking and panic alarms on Serco’s prisoner transport vehicles.
Every SafePay incident should be evaluated as a potential data breach, not just an encryption event. All three cases also demonstrate supply chain amplification: a single compromised hub organization cascades disruption to hundreds of downstream partners and customers.
Encryption and recovery assessment
No public decryptor for SafePay ransomware currently exists. The per-file key design, combined with intermittent encryption, produces a scheme that is both fast and cryptographically sound, and decryption without the operator’s private key is not feasible with current methods. Commercial services advertising SafePay decryption typically operate through ransom negotiation rather than cryptographic bypass.
Because SafePay systematically destroys local recovery options before encryption begins, recovery depends almost entirely on the state of offline backup infrastructure.
Indicators of compromise and detection guidance
Indicators and artifacts
| Category | Indicator | Context | MITRE |
|---|---|---|---|
| File extension | .safepay | Appended to all encrypted files | T1486 |
| Ransom note | readme_safepay.txt | Dropped in directories containing encrypted files | - |
| Execution method | regsvr32.exe with -pass= argument | PE32 DLL execution; highly specific to SafePay | T1218.010 |
| rundll32.exe with -pass= argument | Observed in some variants | T1218.011 | |
| Discovery tool | ShareFinder.ps1 / Invoke-ShareFinder | PowerShell-based SMB share enumeration | T1135 |
| Privilege escalation | CMSTPLUA COM interface abuse | UAC bypass for privilege escalation | T1548.002 |
| Persistence | Registry Run keys | Standard persistence mechanism | T1547.001 |
| ConnectWise ScreenConnect | RMM tools installed for sustained access | T1219 | |
| QDoor backdoor | Lightweight RAT for command execution and tunneling | - | |
| Defense evasion | Registry-based Defender disabling, GPO exclusion injection, Set-MpPreference | Multiple methods of disabling Defender observed; monitor all variants, not just PowerShell | T1562.001 |
| Lateral movement | PsExec, WinRM, RDP, SMB admin shares | Remote execution and payload deployment | T1021.001, T1570 |
| Exfiltration tools | FileZilla, Rclone, WinRAR, 7-Zip | Data archiving and transfer; often uninstalled after use | T1048.003 |
| Recovery inhibition | vssadmin shadow copy deletion, bcdedit | Pre-encryption preparation | T1490 |
Full MITRE ATT&CK technique descriptions available at attack.mitre.org.
Priority detection signals
Individual signals above may have legitimate explanations, but the following combinations indicate a probable ransomware incident and should trigger immediate containment:
- Pre-encryption sequence: Windows Defender tampering (registry modifications, GPO exclusion injection, or Set-MpPreference commands) followed by shadow copy deletion (vssadmin) and event log clearing within the same environment. This combination has been commonly observed in SafePay intrusions as the final preparation before encryption.
- Lateral deployment pattern: PsExec or WinRM execution from a single source to multiple hosts within a short time window, particularly when combined with DLL files being written to administrative shares. This indicates coordinated ransomware staging across the environment.
- Exfiltration-then-encryption sequence: Large outbound data transfers via FileZilla or Rclone in the hours immediately preceding file encryption events. SafePay often completes exfiltration before triggering encryption, making anomalous egress traffic the last detection opportunity before impact.
- Identity lockout: Bulk password changes across administrator accounts immediately before encryption begins.
- SafePay-specific execution: regsvr32.exe executing a DLL with a -pass= command-line argument. This pattern is highly specific to SafePay and should be treated as a critical-severity alert requiring immediate investigation.
Minimum viable logging coverage
Effective detection requires centralized telemetry across identity, endpoint, and network sources:
- VPN and identity provider authentication logs with MFA status
- Active Directory authentication and privilege change events (Event IDs 4624, 4672, 4720, 4732)
- EDR telemetry covering process creation, file access patterns, and registry modifications
- PowerShell logging (module, script block, and transcription) to capture discovery and evasion commands
- Egress traffic visibility via DNS logs, proxy logs, or NetFlow, with alerting on data volume anomalies
Prevention and hardening
Each control below targets a specific SafePay technique observed in real incidents.
Identity and remote access:
- Enforce multi-factor authentication on all VPN, RDP, and cloud identity endpoints, with no exceptions. This single control directly addresses SafePay’s primary entry vector and would have prevented the majority of documented incidents
- Disable local account authentication on VPN gateways. SafePay has exploited FortiGate configurations that allowed local accounts to bypass MFA requirements
- Implement conditional access policies that block logins from impossible-travel locations, unknown devices, and non-compliant endpoints
- Patch VPN appliances promptly. Fortinet products are directly implicated in SafePay incidents, but GlobalProtect, Cisco, and SonicWall vulnerabilities have also been exploited by ransomware groups more broadly
- Restrict VPN access to managed, compliant devices using device certificates or endpoint posture checks
- Monitor for credentials exposed in dark web marketplaces and infostealer dumps. Rotate compromised credentials proactively, before they are used against you
- Restrict Quick Assist, Teams-based remote assistance, and similar tools to authorized use only to counter SafePay’s social engineering tactics
Privileged access and Active Directory:
- Implement Active Directory tiering: restrict domain administrator accounts to dedicated, hardened workstations
- Deploy a Local Administrator Password Solution (LAPS) to eliminate shared local admin credentials across endpoints
- Monitor for credential-dumping behavior, including LSASS memory access patterns, through EDR
Endpoint and server protections:
- Maintain EDR with tamper protection enabled across all endpoints and servers. SafePay operators have disabled Defender through multiple methods, including PowerShell commands, registry edits, and direct GUI manipulation
- Enforce application control: block unauthorized DLL execution via regsvr32, which directly neutralizes SafePay’s final encryption stage, and restrict PowerShell to constrained language mode where feasible
Network segmentation and egress controls:
- Segment networks to limit lateral movement between IT management, user, operational, and backup environments
- Block unauthorized outbound FTP, Rclone, and cloud storage traffic at the perimeter
- Alert on anomalous large outbound data transfers. SafePay’s exfiltration typically occurs in the hours immediately before encryption begins
Backup resilience:
- Follow the 3-2-1-1-0 strategy: three copies, two media types, one offsite, one immutable, zero errors on the last restore test
- Test restore procedures regularly against realistic recovery scenarios. Untested backups cannot be relied upon
- Ensure backup infrastructure is network-segmented and inaccessible via production Active Directory credentials
Incident response playbook
Containment and evidence preservation: Isolate affected systems from the network immediately by disabling network adapters or quarantining through EDR. Do not power off machines. Volatile evidence in memory and running processes is critical for forensic analysis. Disable all remote access accounts (VPN and RDP) until compromised credentials can be identified. Begin preserving logs across VPN, Active Directory, EDR, firewall, DNS, and proxy systems. Ensure auto-rotation does not destroy records from the preceding 72 hours. Notify legal counsel, the cyber insurance carrier, and an incident response partner.
Scoping and identity lockdown: Determine the extent of the compromise: how many systems are affected, which accounts are compromised, and whether evidence of data exfiltration exists. Force-reset privileged accounts, prioritizing domain administrator and VPN accounts first, then staging service-account and cloud admin resets to avoid disrupting critical business processes. Brief leadership and activate the communication plan.
Eradication, recovery, and monitoring: Remove all persistence mechanisms: registry Run keys, unauthorized RMM installations, and scheduled tasks. Rebuild compromised systems from known-clean images rather than cleaning infected machines in place. Restore from verified backups, prioritizing business-critical systems. Monitor aggressively for re-entry. Execute a full environment-wide credential rotation, including service accounts and API keys that may not have been covered during the initial emergency reset.
Post-incident: Conduct a structured lessons-learned review promptly after containment. Validate that the root cause has been remediated, whether that means patching the exploited VPN, enforcing MFA, or confirming all exposed credentials have been rotated. Consider targeted penetration testing to verify that your detection tools identify SafePay’s tactics. Engage breach counsel to determine notification obligations based on confirmed data exposure.
Ransom payment considerations: Payment does not guarantee functional decryption or data deletion. Legal, insurance, and sanctions compliance (including OFAC considerations) must be evaluated before any decision. Organizations facing this choice should engage professional ransomware recovery services to assess all available recovery options before deciding whether to pay.
What SafePay suggests about the road ahead
SafePay isn’t dangerous just because it invented something new. It’s dangerous because it compressed a proven playbook into a timeline most defenders aren’t built to match. The organizations that get hurt aren’t missing tools; they’re missing pre-decided moves. When initial access to encryption can occur within a single day, readiness comes down to how quickly you can detect the foothold, isolate systems, and cut off identity and remote access paths. If any of those steps is still being debated, you’re already behind.
The broader signal is strategic. SafePay’s tradecraft closely resembles Conti-era operations, and its non-affiliate model reduces the internal leaks and OPSEC exposure that damaged its predecessors. The group also targets organizations whose downstream dependencies, including partners, clients, and regulated data subjects, multiply the pressure to pay. That combination of speed, discipline, and leverage is a blueprint, not an outlier.
If your organization is facing a ransomware incident or needs to evaluate its readiness against emerging threats, Proven Data’s incident response and ransomware recovery team provides 24/7 support for containment, investigation, and recovery.
