SafePay Ransomware: An Emerging Threat in 2025

SafePay is a new and sophisticated ransomware group in 2025. While it was only identified in September 2024, SafePay ransomware quickly claimed many victims, becoming a top 10 active group in the Q1 of 2025.

Showing advanced network infiltration and data encryption/exfiltration, SafePay is a significant threat in 2025.

Although little is known about the group itself, industry experts have analyzed previous attacks to identify SafePay’s ransomware tactics. Understanding their methods helps detect ransomware attacks and implement protections that keep you safe.

Anti ransomware RELATÓRIO DE CIBERSEGURANÇA

Ransomware in 2025: A Record-Breaking Surge

The emergence of SafePay comes at a record-breaking time for ransomware attacks.

Data from the Q1 2025 Global Cyber Attack Report shows a 126% increase in ransomware attacks compared to the year before. This ransomware surge in 2025 is happening despite the toppling of two major players the previous year: LockBit and ALPHV.

A coordinated international law operation in 2024 led to:

  • The seizure of LockBit’s data leak sites
  • The release of the group’s internal data (including decryption keys)
  • The exposure of their affiliate networks

This dismantling of LockBit’s operations and infrastructure dramatically reduced the group’s activity.

The further disclosure of internal communications led to a loss of credibility in the industry, making the ransomware-as-a-service (RaaS) group a shadow of its former self. At the end of 2023, a law enforcement operation disrupted ALPHV operations. After a short recovery, the group shut down operations in early 2024.

Following an attack on Change Healthcare, ALPHV:

  • Withheld all of the $22 million ransom
  • Refused to share it with the affiliate that launched the attack
  • Faked a seizure notice on their data leak site
  • Announced the end of ALPHV

The shutdown of these two groups has led to fragmentation in the ransomware ecosystem.

Established operators (e.g., RansomHub, Akira) and new players, like SafePay, are now competing to fill the gap and attract new affiliates who previously worked with LockBit and ALPHV.

Who Is the SafePay Ransomware Group?

SafePay is a new ransomware group, with its first confirmed activity occurring in September 2024. Since then, SafePay threat actors have quickly become serious players in the space.

Data from Check Point’s State of Cybersecurity Report found that SafePay accounted for 5% of reported victims in November 2025. This activity continues to grow in 2025, with the State of Ransomware in the First Quarter of 2025 Report finding 77 publicly claimed victims, making SafePay the 9th most prevalent ransomware variant.

A High-Profile Early Attack

An early high-profile SafePay ransomware attack that brought greater attention to the group was the attack on UK telematics business Microlise.

  • In October 2024, the business first disclosed it was the victim of a cyber incident.
  • In November 2024, details of the attack came to light, with SafePay claiming to have stolen 1.2 terabytes of data, demanding payment in less than 24 hours.

An Elusive Cybercrime Group

Despite the SafePay ransomware surge in 2025, not much is known about the group:

  • Little discussion exists on dark web forums or chat rooms
  • No publicly disclosed information about the group’s members or location

However, SafePay does:

  • Maintain a blog on the dark web
  • Utilize The Open Network (TON) to communicate with victims
  • Operate a Tor leak site listing claimed past victims

Code Similarities and Tactics

Investigations of SafePay ransomware attacks have revealed that the group’s ransomware binary shares similarities with a version of LockBit from late 2022. However, SafePay also incorporates elements used by other ransomware groups, including ALPHV and INC Ransom.

Notable SafePay Tactics As of 2025 include:

  • Fast encryption times
  • Attacks typically move from breach to deployment in under 24 hours

SafePay ransomware attacks are still under investigation in 2025 to fully assess the group’s overall capabilities

SafePay Victims

SafePay targets victims across a wide range of industries, including both public and private sectors.

Their ransomware surge in 2025 focuses on targets in the US, the UK, and Germany. There have been examples of SafePay launching waves of attacks, sometimes 10+ a day,  in both the US and Germany. Statistics from the State of Ransomware Q1 2025 report show a high level of activity in Germany.

  • 24% of all reported ransomware victims in Germany in Q1 2025 were linked to SafePay
  • According to Check Point’s research, this is the highest percentage for a single ransomware group in any country

This suggests that SafePay is aiming to establish a major foothold in Germany during 2025.

SafePay’s Tactics and Targeting Strategy

SafePay gains initial access using valid credentials that are most likely purchased on dark web marketplaces.

They access targeted endpoints via these credentials and a VPN gateway. It is also expected that the group launches attacks by exploiting known VPN vulnerabilities.

Analysis of SafePay ransomware tactics shows the group utilizes a multi-stage method that typically starts with access via Remote Desktop Protocol. SafePay threat actors disable security measures such as Windows Defender using Living Off the Land Binaries (LOLBins).

SafePay’s software has a sophisticated modular design that includes features for:

  • Privilege escalation
  • UAC bypass
  • Network propagation

Other tools like WinRaR and FileZilla archive and exfiltrate the data. 

Encrypted files have the .SafePay extension added to them.

In previous SafePay ransomware attacks, the ransom note is in a file titled readme_SafePay.txt. To improve the success rate of the attack, SafePay’s ransomware tactics include:

  • Disabling recovery options
  • Deleting shadow copies.

Once the ransomware is deployed, SafePay pressures victims to pay up through double extortion.

  • They encrypt the victim’s data, disrupting business operations
  • They exfiltrate this data, threatening to release it publicly on their leak site if the ransom is not paid.

A notable similarity to LockBit ransomware variants is SafePay’s ability to strategically target and adapt based on leaked source codes. For instance, previous attacks in Eastern Europe have been seen to incorporate a Cyrillic kill switch. This level of sophistication demonstrates the need for advanced security controls and endpoint monitoring.

Defending Against SafePay Ransomware Attacks and Similar Threats

There are indicators specific to SafePay ransomware tactics that can help you identify attacks and develop new security rules. These include:

  • Detecting UAC bypasses that SafePay uses for privilege escalation to spread their attacks and compromise more systems after initial access.
  • SafePay often manually changes virus and threat protection settings that most users wouldn’t touch. This means you can identify SafePay ransomware attacks by monitoring any manipulations of Windows Defender settings.
  • The group’s ransomware attacks utilize WinRAR to archive data before exfiltration. These commands are also uncommon during typical WinRAR use, offering a potential detection mechanism.

How to Prevent SafePay Ransomware: 5 Best Practices

More general ransomware security controls and best practices that will help your organization prevent SafePay ransomware attacks and similar threats include:

  1. Strict access controls based on the principle of least privilege, such that users only have access to what they need. This limits the spread of ransomware attacks by preventing lateral movement into new systems.
  2. These access controls should be backed up by strong authentication processes based on zero trust, making users continually prove their identity. A common technique is to enforce multi-factor authentication (MFA).
  3. Fast and effective incident detection and response capabilities that include backing up data on physically separated storage and disaster recovery strategies.
  4. Update management processes that monitor for newly discovered vulnerabilities and automatically install the latest patches for maximum security.
  5. Implementing secure VPN connections for remote access. Again, ensure the VPN provides enhanced authentication procedures such as MFA.

Enhanced Ransomware Protection with Check Point

To protect your business against SafePay ransomware and other emerging threats, you need a ransomware protection solution you can rely on. Harmony Endpoint from Check Point delivers complete endpoint security to detect ransomware attacks and minimize their impact.

Discover more about Harmony Endpoint by reading its solution brief or requesting a demo.