A hitherto unknown ransomware gang called SafePay quickly rose to prominence in the first quarter of 2025, becoming one of the most active and dangerous operators in the global cyber threat environment.
With over 200 documented victims, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across various sectors, SafePay’s campaign has become a major concern for cybersecurity professionals worldwide.
Technical Anatomy and Tactics
According to the Report, Acronis Threat Research Unit (TRU) conducted an in-depth analysis of SafePay’s attack methodology, confirming the group’s use of highly efficient, albeit recycled, tactics.
The group’s operations highlight a focus on stealth and effectiveness, leveraging Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) exploits to gain unauthorized entry into organizational networks.
Once inside, SafePay actors employ credential theft, privilege escalation, and “living-off-the-land” binaries (LOLBins) to traverse within victim environments, exfiltrate sensitive data, and ultimately encrypt files.
Distinct from the ransomware-as-a-service (RaaS) model favored by many contemporary groups, SafePay maintains centralized operational control, overseeing its own infrastructure and ransom negotiations.
The group systematically disables endpoint protection, deletes shadow copies, and clears logs to evade detection.
Notably, the attack that recently disrupted Ingram Micro, a significant global IT distributor, has been attributed to SafePay.
SafePay ransomware, which first surfaced in 2024, bears striking technical similarities to the notorious LockBit ransomware family.
The similarities may stem from the 2022 leak of the LockBit 3.0 (LockBit Black) builder source code, after which a wave of LockBit-based variants emerged.
Key shared characteristics include encoded strings, runtime API address resolution, language-based execution avoidance, and specific privilege escalation methods such as CMSTPLUA COM interface abuse. SafePay is distributed primarily via compromised RDP connections.
Attackers use open-source PowerShell scripts like ShareFinder.ps1 to enumerate network shares and leverage tools such as WinRAR for data compression and FileZilla for exfiltration before deleting these tools to minimize detection risks.
The ransomware sample analyzed by Acronis is a PE32 DLL with a deceptive timestamp, and requires a specific password argument for full execution.
All strings and import names within the binary are encrypted, complicating pre-execution detection efforts.
File Encryption
Upon execution, SafePay conducts a series of preparatory steps: decrypting necessary strings in memory, dynamically loading libraries, and checking for system languages associated with CIS countries if detected, the ransomware aborts.
The malware parses command-line arguments, each enabling different functionalities such as network propagation or self-deletion. Crucially, the required password parameter drives further decryption within the sample.
SafePay aggressively attempts to disable protective services and terminate a wide range of business-critical processes ranging from Microsoft SQL Server and Exchange to endpoint protection products before emptying the Recycle Bin and establishing persistence by registering itself in the Windows startup registry keys.
If instructed via arguments, it abuses the CMSTPLUA COM interface for privilege escalation and uses system commands to erase shadow copies and tamper with recovery settings.
For encryption, SafePay leverages a strong combination of AES for file encryption and RSA for encrypting AES keys. It targets both fixed and removable drives, mounting unmounted drives if necessary.
Each encrypted file is appended with a ‘.safepay’ extension, with the ransomware executing multi-threaded operations and employing anti-debugging flags to further hamper analysis.
SafePay employs a double extortion scheme, not only encrypting valuable data but also exfiltrating it to coerce victims into paying ransoms.
Since its emergence, SafePay has rapidly adapted and expanded its arsenal, leveraging tried-and-true techniques with new features and enhancements to maximize impact and evade defensive measures.
Its centralized operational model and technical sophistication mark it as a distinct and formidable threat on the ransomware scene.
Indicators of Compromise (IoCs)
| Type | Value |
|---|---|
| File SHA256 | a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526 |
| Network URL | http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion |
| Email Contact | [email protected] |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
