SafePay Ransomware

Download 17 pages of SafePay Ransomware's latest criminal behaviors, previous industry and geographic targets, exploited vulnerabilities, criminal associations, behaviors, and MITRE ATT&CK mappings.

Download Now

About This Threat Profile

First Identified: 2024

Threat Type:
Likely a private operation

Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most frequently targeted industry:

  • Industrials (Manufacturing)
  • Industrials (Construction & Engineering)
  • Healthcare

Most frequently targeted victim HQ region: North America

Known Associates:

  • BlackSuit Ransomware
  • Conti Ransomware
  • INC Ransom Ransomware
  • LockBit Ransomware
  • Lynx Ransomware

Select MITRE ATT&CK Mappings

    • Initial Access
      • Valid accounts, vulnerability exploitation; social engineering (MITRE ATT&CK: T1078, T1190, T1566)
    • Persistence
      • External remote services; create or modify system processes (MITRE ATT&CK: T1133, T1543)
    • Lateral Movement
      • Remote Services (MITRE ATT&CK: T1021)

Description of SafePay Ransomware

SafePay Ransomware was first identified in October 2024 and operates in the double extortion method – which combines the standard encryption method with data theft and the threat of leaking or selling the data if the ransom demand is not paid.

SafePay Ransomware has been assessed to be built using the LockBit 3.0 leaked builder. However, there are also reports of the group utilizing a backdoor, QDoor, that has previously been linked to the BlackSuit Ransomware operation and using the same living-off-the-land binaries (LOLBins) as the INC Ransom Ransomware operation. These observations highlight the interconnectedness of ransomware operations and reinforce the need for intelligence driven, proactive defense strategies.

SafePay has been reported to gain initial access via valid accounts and exploiting public-facing applications. These tactics have been reported to include targeting misconfigured Fortinet firewalls, exposed remote desktop protocol (RDP) instances, and using valid credentials to access virtual private network (VPN) accounts that do not have multi-factor authentication (MFA) enabled.

Similar to other ransomware operations, SafePay has been reported to create new processes, utilize tools such as ScreenConnect, and backdoor malware to maintain persistence on targeted devices.

SafePay has been reported to utilize RDP and SMB/Windows Admin Shares for lateral movement, which is in line with multiple other ransomware operations, including LockBit, Akira, and more.

SafePay Ransomware likely operates in a similar manner to the LockBit 3.0 operation due to being built off the leaked builder. At the time of writing, there has been little public reporting related to the SafePay Ransomware operation; it is likely that SafePay will continue to target organizations worldwide over the next 12 months.

As additional information has become available related to the SafePay operation, additional connections between the group and other ransomware operations have been identified. Security researchers have assessed that SafePay’s emergence and rapid success likely indicates that the group is comprised of sophisticated threat actors from various established operations – including Akira, Play, Qilin, and more.

This level of overlap makes attribution to specific threat groups and individuals more difficult and highlights the extensive interconnectedness of the ransomware landscape.

 

DATE PUBLISHEDSeptember 3, 2025
AUTHORBlackpoint Cyber