Introduction
In the rapidly evolving world of cyber threats, SAFEPAY ransomware has emerged as a formidable adversary. First identified in November 2024, this group has quickly escalated its activities, targeting over 169 organizations by May 2025, with a significant focus on the United States, Germany, and the United Kingdom. SAFEPAY employs a double extortion model, encrypting files and stealing sensitive data, which it threatens to leak on its Tor-based leak sites or TON network if ransoms are unpaid. For business owners and IT professionals, SAFEPAY represents a critical challenge that demands robust defenses. Barricade Cyber Solutions is here to guide you through this threat, offering expert ransomware recovery and prevention services to ensure your business thrives in a secure digital environment.
Understanding SAFEPAY Ransomware
SAFEPAY ransomware, also known as SafePay, is a relatively new but highly active threat actor, first observed in November 2024. By March 2025, it ranked as the fourth most active ransomware group, with 43 confirmed victims listed on its dark web Data Leak Site (DLS), escalating to 169 victims by early May 2025, 18% of whom are based in Germany. The group uses the .safepay file extension for encrypted files and leaves a ransom note named readme_safepay.txt. Unlike many ransomware groups, SAFEPAY explicitly denies operating as a Ransomware-as-a-Service (RaaS), stating, "SafePay Ransomware has never and does not provide the RaaS" (Medium). Their attacks target a wide range of sectors, including business services, retail, education, and manufacturing, with a particular focus on small to medium enterprises (SMEs) and local governments in Germany.
SAFEPAY’s operations are characterized by their intermediate sophistication, marked by extended periods of inactivity (e.g., a 25-day gap between initial access and discovery in one case) and the use of public tools, which suggests less advanced operational security compared to groups like Qilin. The ransomware is believed to be derived from leaked LockBit source code, showing architectural similarities to LockBit3 and cryptographic elements shared with Hive, DarkBit, and others (Medium).
How SAFEPAY Operates
SAFEPAY’s tactics, techniques, and procedures (TTPs) are designed to maximize disruption and pressure victims into paying ransoms. Below is a detailed breakdown:
Initial Access
-
Password Spraying on VPNs: SAFEPAY often gains initial access through password spraying on vulnerable VPN implementations, exploiting weak credentials likely obtained via stealware or dark web markets (Surefire Cyber). In one case, there was a 25-day gap between initial access and discovery (Medium).
-
Exploitation of VPN Vulnerabilities: While no specific vulnerabilities are confirmed, SAFEPAY is suspected to exploit known vulnerabilities in VPN software or remote access solutions (Quorum Cyber).
-
Phishing Emails: Phishing campaigns with malicious attachments are a probable method for initial access, though less documented (PC Risk).
Lateral Movement and Privilege Escalation
-
Time to Domain Admin: In one documented attack, SAFEPAY took 26 days from initial access to achieve Domain Admin privileges, followed by rapid data exfiltration and encryption within two days (Medium).
-
Automated Tools: The group likely uses automated scripts for privilege escalation and lateral movement, targeting smaller networks for quick encryption (Huntress).
Data Exfiltration
-
Volume and Tools: SAFEPAY has exfiltrated significant data volumes, such as 450 GB in one attack, using tools like SharpShares and WinRAR for compression and FileZilla for transfer (Medium; Cybervergent).
-
Large-Scale Theft: In a notable attack, SAFEPAY claimed to have stolen 1.2 TB of data from a UK business (Cyberint).
Encryption
-
File Encryption: Files are encrypted with the .safepay extension, and a ransom note (readme_safepay.txt) is left on the system (Red Piranha).
-
Backup Targeting: SAFEPAY targets backups by encrypting them and deleting Volume Shadow Copies (VSC) to prevent recovery (Medium).
-
Partial Encryption: The ransomware supports partial encryption via a command line argument (-enc <1-10>) (Medium).
-
Geographic Restriction: The encryptor includes a check to prevent operation in Russian-speaking countries, suggesting possible Russian affiliations (NCC Group).
Extortion
-
Double Extortion: SAFEPAY combines file encryption with data theft, threatening to leak stolen data on its Tor-based leak site or TON network (SC Media).
-
Direct Phone Calls: The group has been observed making direct phone calls to victims to increase pressure post-encryption (Medium).
-
Leak Site Pressure: The Tor-based leak site, which listed 22 victims in November 2024 and 169 by May 2025, serves as a public pressure mechanism (Huntress).
Cryptographic Methods
-
Language and Algorithms: Written in C, SAFEPAY uses Overlapped I/O and employs AES-CBC or ChaCha20 for encryption (depending on AES-NI availability) and Curve25519 for Elliptic Curve Cryptography (ECC) (Medium).
-
Configuration Decryption: The configuration is decrypted using SHA-512 for key/nonce generation, ChaCha20 for encryption, and MurmurHash for integrity checks (Medium).
TTPs Summary
| TTP CATEGORY | DETAILS |
|---|---|
| Lateral Movement | Automated scripts. Took 26 days to gain Domain Admin in one case. |
| Initial Access | Password spraying on VPNs, phishing emails. |
| Extortion | Double extortion, Tor/TON leak sites. |
| Encryption | .safepay extension, partial encryption, targets backups, deletes VSC. |
| Communication | Tor-based leak sites, TON network, no public-facing emails. |
| Exfiltration | T450 GB–1.2 TB stolen using SharpShares, WinRAR, FileZilla. |
Notable Attacks in 2025
-
UK Business (2025): SAFEPAY claimed to have stolen 1.2 TB of data, demonstrating their capability to exfiltrate large volumes (Cyberint).
-
German SMEs and Local Governments: A focused campaign in early 2025 targeted German small to medium enterprises and local governments, with large attack waves of 10+ organizations per day (Quorum Cyber).
-
Global Reach: SAFEPAY has targeted organizations in the US, UK, Australia, Canada, and other countries, with 43 victims listed in March 2025 and 169 by May 2025 (Ransomware.live).
Barricade Cyber Solutions: Your Guide
When facing a threat as aggressive as SAFEPAY, you need a trusted partner. Barricade Cyber Solutions specializes in ransomware recovery and prevention, with GIAC-certified experts who have restored data for thousands of businesses. Our 24/7 support and comprehensive cybersecurity consulting services are designed to combat threats like SAFEPAY, ensuring your business remains secure.
Our services include:
-
Investigation and Containment: Quickly identify and isolate threats.
-
Expert Analysis: Leverage our deep knowledge of attacker TTPs.
-
Data Recovery: Restore encrypted data and strengthen systems.
-
24/7 Support: Immediate response to incidents, day or night.
-
Cybersecurity Consulting: Assess and enhance your security posture.
Protecting Your Business
To defend against SAFEPAY ransomware, implement these proactive measures:
-
Strengthen VPN Security: Use strong passwords and MFA for VPN access to prevent password spraying attacks.
-
Regular Patching: Update software, especially VPNs and remote access tools, to close vulnerabilities.
-
Employee Training: Educate staff on recognizing phishing emails and maintaining strong password practices.
-
Backup and Recovery: Maintain immutable backups and test recovery procedures to ensure business continuity.
-
Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious activities promptly.
What to Do If Attacked
If your business is hit by SAFEPAY ransomware, follow these steps:
-
Isolate Systems: Disconnect affected systems to contain the attack.
-
Engage Experts: Contact Barricade Cyber Solutions for investigation and recovery.
-
Negotiate Carefully: If necessary, negotiate through professional channels.
-
Report the Incident: Inform law enforcement and regulatory bodies.
Barricade’s approach includes:
-
Assessment: Identify the scope of the attack.
-
Extortion Negotiation: 24/7 case managers negotiate to minimize impact.
-
Ransom Settlement: Secure and compliant financial handling.
-
Decrypt & Recover: Restore data and enhance security.
Don’t let SAFEPAY ransomware disrupt your business. If you’ve been impacted or want to protect your organization, schedule a consultation with Barricade Cyber Solutions today at Barricade Consultation. Our experts are ready to guide you through recovery and prevention, ensuring your business remains secure.
Success: A Secure Future
Partnering with Barricade Cyber Solutions means more than just recovering from a ransomware attack—it means building a resilient business. Our proven track record ensures your data is secure, your operations are uninterrupted, and your reputation is protected. With our 24/7 support and expert guidance, you can focus on what matters most: running your business.
Conclusion
SAFEPAY ransomware is a growing threat, but with the right knowledge and partner, you can protect your organization. Barricade Cyber Solutions is your guide to navigating this complex landscape, offering expert solutions to recover from attacks and prevent future incidents. Take action now to safeguard your business.
Threat Actor Profile
-
Name and Aliases: SAFEPAY, SafePay
-
Origin and Affiliations: Unknown, but a built-in check prevents operation in Russian-speaking countries, suggesting possible Russian affiliations.
-
Motivation and Goals: Financial gain through ransomware attacks targeting SMEs and local governments.
Operational Overview
-
Initial Access Vectors:
-
Password spraying on VPNs.
-
Phishing emails with malicious attachments.
-
Possible exploitation of VPN vulnerabilities.
-
-
Lateral Movement:
-
Automated scripts for privilege escalation.
-
26 days to Domain Admin in one documented case.
-
-
Data Exfiltration:
-
Large volumes (450 GB–1.2 TB) stolen using SharpShares, WinRAR, FileZilla.
-
-
Encryption and Extortion:
-
Files encrypted with .safepay extension.
-
Double extortion with data theft and leak site threats.
-
Direct phone calls to victims.
-
Technical Details
-
Malware:
-
SAFEPAY ransomware (written in C).
-
Uses AES-CBC/ChaCha20 and Curve25519 ECC.
-
Command line arguments: -pass (victim ID for config decryption), -enc <1-10> (partial encryption).
-
-
Tools and Infrastructure:
-
Tor-based leak sites:
-
http://j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion/
-
http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/
-
http://nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion/
-
-
TON network for victim communications.
-
Tools: SharpShares, WinRAR, FileZilla.
-
-
Cryptographic Similarities: Shares elements with LockBit3, Hive, DarkBit, Proxima, Babuk.
Victimology
-
Targeted Sectors: Business services, retail, education, manufacturing, local governments.
-
Geographic Focus: US, Germany, UK, with additional attacks in Australia, Canada, and others.
-
Notable Victims:
-
UK business with 1.2 TB of data stolen (2025).
-
German SMEs and local governments in early 2025.
-
169 victims listed by May 2025.
-
Indicators of Compromise (IOCs)
| TTP CATEGORY | DETAILS |
|---|---|
| Ransom Note | readme_safepay.txt |
| Leak Sites | http://j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion/ |
| File Extension | .safepay |
| http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/ | |
| http://nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion/ |
Law Enforcement and Threat Landscape
As of July 2025, no law enforcement actions against SAFEPAY have been reported. However, the group’s targeting of public institutions, such as local governments in Germany, suggests investigations may be ongoing. SAFEPAY’s rapid rise in the ransomware landscape, with a significant increase in activity from November 2024 to May 2025, indicates it is a growing concern.
