SafePay ransomware group

SafePay is an cybercrime group first documented in late 2024, quickly establishing itself as a significant threat in the ransomware landscape. The group is notable for its rapid deployment and aggressive tactics, targeting organizations across multiple sectors including business services, retail, education, manufacturing, government, and healthcare.

Key Characteristics

SafePay employs a double-extortion strategy, encrypting victims’ files and exfiltrating sensitive data before demanding ransom payments. If victims refuse to pay, the group threatens to publish stolen data on their dark web leak site. Files encrypted by SafePay are appended with the .safepay extension, and a ransom note named readme_safepay.txt is left behind, providing instructions for payment and communication with the attackers.

SafePay maintains a dark web blog and a presence on the TON (The Open Network) platform for victim negotiations and data leaks. The group is known for aggressive negotiation tactics, sometimes contacting victims directly by phone to pressure them into paying the ransom.

Attack Methods

SafePay typically gains entry through vulnerable VPN gateways or misconfigured firewalls, often using brute force attacks or valid credentials obtained from credential theft or dark web markets. Once inside, attackers leverage compromised administrator credentials to move laterally across the network.

SafePay is notable for its speed, often moving from initial access to file encryption in under 24 hours, much faster than the industry average. The group uses common system administration tools, PowerShell, and Windows Command Shell for execution and privilege escalation. They also employ registry modifications and disable security tools to evade detection.

Notable Incidents

As of 2025, SafePay has attacked over 200 organizations worldwide, with a particular focus on Germany, the United States, and the United Kingdom. In one wave, 8 out of 11 new victims were German organizations. In January 2025, SafePay compromised the data of over 235,000 patients at a North Carolina-based pathology lab, exfiltrating sensitive health and personal information.

The group’s leak site lists victims and offers access to stolen data, with vulnerabilities in the site itself allowing researchers to gather intelligence on the group’s operations.

Attribution and Unique Features

The malware includes a Cyrillic-language exclusion, suggesting possible ties to Russian-affiliated threat actors, although this is not conclusively proven. SafePay has been observed using the LockBit ransomware builder, indicating possible links or inspiration from other major ransomware groups. The ransomware includes a built-in check to prevent operation in Russian-speaking countries, further hinting at possible Russian connections.