SafePay ransomware has rapidly become one of 2025’s most dangerous cyber threats. Reports indicate that the group was responsible for 73 confirmed attacks in June and an additional 42 in July, bringing its total number of victims this year to over 270.
Unlike ransomware-as-a-service (RaaS) groups that work with affiliate networks, SafePay functions as a closed and tightly controlled operation. This independence, combined with strict operational security, allows the group to launch high-volume attacks with alarming efficiency.
Targeted Industries and Regions
SafePay primarily focuses on mid-sized and large organizations located in the United States, Germany, Great Britain, and Canada. Its operations have disrupted sectors vital to daily life such as manufacturing, healthcare, and construction.
The ransomware group first appeared in September 2024, shortly after international law enforcement dismantled ALPHV (Black Cat) and disrupted LockBit’s infrastructure during Operation Cronos. Analysts from Bitdefender noted similarities between SafePay and LockBit Black, but confirmed that the two groups rely on different methods and encryption techniques.
Rapid and Efficient Attack Strategy
SafePay is capable of carrying out a complete attack cycle within just 24 hours, moving from initial access to full-scale encryption. Its victim profile often includes companies with annual revenues around $5 million, though some victims have reported revenues exceeding $100 million, with one high-profile case involving an organization valued at $40 billion.
Encryption and Evasion Techniques
SafePay ransomware stands out for its advanced encryption and evasion strategies. It relies on the ChaCha20 encryption algorithm, generating a unique symmetric key for every encrypted file while embedding additional keys inside its executable. This layered encryption design makes recovery without the attacker’s decryption tool extremely difficult.
The malware includes multiple defense-evasion capabilities such as debugger detection and the forced termination of processes linked to antivirus tools. It deletes volume shadow copies immediately after execution, preventing victims from restoring files. Once active, it encrypts data with the .safepay extension and drops ransom notes named “readme_safepay.txt” in compromised folders.
One distinctive feature of SafePay is its ability to detect system languages. The ransomware avoids running on systems that use Cyrillic keyboards, suggesting ties or alliances with Russian-speaking threat groups.
