SafePay Ransomware Emerges as a Major Cybersecurity Threat
A dangerous new ransomware group has risen to prominence, becoming one of the most formidable threats in today’s cybersecurity landscape. Known for its rapid development and advanced attack strategies, SafePay ransomware is quickly gaining notoriety.
First identified in 2024, SafePay has evolved from an obscure threat into a highly active ransomware operation, responsible for compromising over 200 victims globally within the first quarter of 2025 alone.
The group primarily sets its sights on managed service providers (MSPs) and small to medium-sized businesses (SMBs), spanning multiple industries. It employs a mix of Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) exploitation techniques to infiltrate enterprise networks.
Centralized Operations Make SafePay a Unique and Potent Threat
Unlike many modern threat groups that adopt the ransomware-as-a-service (RaaS) model, SafePay operates under a centralized command structure. This approach sets it apart by enabling the group to retain full control over its infrastructure, victim communications, and the overall orchestration of attacks.
By avoiding the traditional affiliate-based system, SafePay ensures that its campaigns remain highly organized, consistent, and strategically managed, leading to more effective and targeted intrusions.
The group’s swift rise to infamy became especially apparent following its involvement in a major cyberattack on Ingram Micro, a global distributor that supports thousands of partners and managed service providers (MSPs). This incident underscored SafePay’s ability to impact critical supply chain operations on a global scale.
SafePay Shows Strong Ties to LockBit, Uses Advanced Evasion Techniques
Security researchers at Acronis have uncovered notable similarities between SafePay and the well-known LockBit ransomware, particularly with the LockBit 3.0 builder, whose source code was leaked in 2022. These overlaps suggest that SafePay may have adopted or adapted elements from LockBit’s architecture.
From a technical standpoint, SafePay leverages proven but powerful attack techniques. These include:
- Disabling endpoint protection to avoid early detection,
- Deleting shadow copies to prevent data recovery,
- And clearing system logs to obstruct forensic investigations and delay incident response.
The ransomware’s persistence features and anti-detection strategies reflect a deep understanding of enterprise-level security infrastructure, making it particularly challenging to detect, isolate, and eliminate.
The SafePay ransomware is delivered as a PE32 DLL file with a forged compilation timestamp, a tactic used to obscure its origin and bypass analysis tools. To activate correctly, the malware requires specific execution parameters, indicating a controlled and deliberate deployment method.
SafePay adopts a double extortion strategy, in which sensitive data is exfiltrated before the victim’s files are encrypted. This dual-threat approach increases pressure on victims to pay, as both data exposure and operational disruption are used as leverage.
The malware’s technical depth is further demonstrated by its use of living-off-the-land binaries (LOLBins). These are legitimate system tools abused by attackers to execute malicious actions without triggering traditional, signature-based detection mechanisms. This method allows SafePay to camouflage itself within normal system activity, making it extremely difficult to detect and remove.
Infection Mechanism and Data Exfiltration
SafePay Executes Stealthy, Multi-Stage Attacks for Maximum Impact
Once SafePay gains access to a target network, it launches a carefully planned sequence of actions aimed at harvesting sensitive data while avoiding detection.
During its reconnaissance phase, the ransomware utilizes the ShareFinder.ps1 script from the open-source PowerView project. This script scans the local domain to identify all accessible network shares, helping attackers pinpoint high-value targets and gain a comprehensive understanding of the organization’s network layout.
To collect data efficiently, SafePay employs WinRAR with specially crafted command-line arguments. These commands archive sensitive information while excluding irrelevant file types, such as multimedia, executables, and other non-essential formats. Instead, the malware focuses on documents, databases, and configuration files that are likely to hold critical business data.
After packaging the data, SafePay uses the FileZilla client to exfiltrate the compressed archives to attacker-controlled servers. Once this process is complete, both WinRAR and FileZilla are removed from the infected systems, effectively wiping traces and hindering forensic investigations.
Strong Encryption and Anti-Forensic Tactics
SafePay implements a dual-encryption mechanism, combining AES and RSA algorithms. For every file, it generates a unique 32-byte AES key, which is then encrypted using RSA public key cryptography. This layered encryption strategy ensures that even if one key is compromised, the integrity of the rest of the encrypted data remains protected.
Encrypted files are marked with the “.safepay” extension. Additionally, the ransomware requires a 32-byte password for successful execution, and incorporates multiple obfuscation techniques to resist analysis and reverse engineering.
