Threat ActorSafePay Ransomware
Description
SafePay is a relatively new and highly active ransomware group that first emerged in late 2024. The group has victimized more than 300 organizations worldwide.
Unlike many modern ransomware groups that operate under a Ransomware-as-a-Service (RaaS) model, SafePay manages the entire ransomware operation internally. The group acts as both developer and attacker, creating the ransomware, conducting intrusions, deploying payloads, and extorting victims without the use of affiliates. SafePay is believed to operate out of Eastern Europe, as its ransomware is designed to terminate execution if it detects that the infected system is using a language associated with former Soviet Union countries.
The SafePay ransomware group is also known for using phone calls as part of its double-extortion strategy, applying direct pressure on victims to coerce ransom payments.
Targeted Industries
- Agriculture
- Business Services
- Construction
- Consumer Services
- Education
- "Energy
- Utilities & Waste"
- Finance
- Government
- Healthcare Services
- Hospitality
- "Hospitals & Physicians Clinics"
- Insurance
- "Law Firms & Legal Services"
- Manufacturing
- "Media & Internet"
- Publishing
- "Minerals & Mining"
- Organizations
- Real Estate
- Retail
- Software
- Telecommunications
- Transportation
Objectives
Financial Gain
Known Tools Used
- 7zip
- FileZilla
- Mimikatz
- PowerShell
- QDoor
- RClone
- ScreenConnect
- ShareFinder
- WinRAR
Known Infection Vectors
- Access purchased from Initial Access Brokers (IAB)
- Exploiting misconfiguration
- Stolen credentials
- Weak passwords
References
Ransomware Statistics and Ransomware Trends 2025
https://www.fortinet.com/resources/cyberglossary/ransomware-statistics
