Skip to content
Ransomware group Windows

SafePay

SafePay is a privately operated ransomware family and associated extortion operation that emerged in late 2024 and rapidly became one of the more active ransomware threats observed in 2025 and early 2026.

Profile source: Mallory opens in a new tab

SafePay

Family profile

SafePay is a privately operated ransomware family and associated extortion operation that emerged in late 2024 and rapidly became one of the more active ransomware threats observed in 2025 and early 2026. The operation publicly states that it is not a ransomware-as-a-service program, and reporting consistently characterizes it as a centralized, non-RaaS actor. SafePay uses a double-extortion model, stealing victim data before encrypting systems and threatening publication of stolen material to pressure payment.

SafePay has targeted organizations across multiple sectors and geographies, with repeated reporting of activity against healthcare providers, healthcare-related businesses, managed service providers, small and midsize businesses, and other enterprises. Victims have been reported in North America, Europe, and Australia, with Germany and the United States repeatedly identified among its principal target countries. Publicly attributed incidents include intrusions affecting healthcare entities, technology and distribution firms, industrial organizations, and government service providers.

Observed intrusion activity shows SafePay relying on conventional but effective operator-driven tradecraft rather than unusually advanced techniques. In at least one investigated case, initial access was obtained through password spraying against a VPN gateway, followed by a lengthy dwell period, privilege escalation to domain administrator, discovery of accessible shares, staging and compression of stolen data, exfiltration, and subsequent encryption. Operators have also searched for backup infrastructure and deleted shadow copies to hinder recovery. Reporting indicates SafePay has at times focused encryption activity inside guest virtual machines rather than directly encrypting hypervisors, suggesting stronger support for Windows environments than for native ESXi-level encryption in the observed period.

The SafePay encryptor is a custom Windows ransomware strain written in C. Reported technical characteristics include asynchronous file encryption using Overlapped I/O, configurable partial encryption, and use of AES-CBC when AES-NI is available or ChaCha20 otherwise, with Curve25519 protecting per-file key material. Analysts have noted design similarities to several established ransomware families but assessed the malware as likely independently developed rather than a direct derivative.

SafePay has been linked to major data theft and disruption events, including incidents involving healthcare-related organizations and large service providers where large volumes of personal, medical, financial, employment, and business data were reportedly stolen. Its activity profile, victim volume, and repeated use in high-impact extortion cases place it among the notable ransomware threats of the 2025–2026 period.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Privilege Escalation
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • Invoke-ShareFinder

Exfiltration

  • 7-Zip
  • WinRAR

LOLBAS

  • CMSTPLUA
  • Regsvr32.exe
  • dllhost.exe

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

1 named in public reporting
SafePay

The SafePay ransomware group is a relatively new group, first appearing on our radar in November 2024. The group follows a double-extortion scheme, both exfiltrating data and encrypting it on victim machines using their own SafePay ransomware.

MITRE ATT&CK

SafePay in ATT&CK

155 distinct techniques

Techniques

155 techniques
T1074 Data Staged T1082 System Information Discovery T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1110.003 Password Spraying T1048 Exfiltration Over Alternative Protocol T1078 Valid Accounts T1041 Exfiltration Over C2 Channel T1548.002 Bypass User Account Control T1078.002 Domain Accounts T1021.002 SMB/Windows Admin Shares T1531 Account Access Removal T1059.003 Windows Command Shell T1135 Network Share Discovery T1190 Exploit Public-Facing Application T1091 Replication Through Removable Media T1189 Drive-by Compromise T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link T1566.003 Phishing: Spearphishing Voice T1047 Windows Management Instrumentation T1053.005 Scheduled Task/Job: Scheduled Task T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1059.005 Command and Scripting Interpreter: Visual Basic T1106 Native API T1129 Shared Modules T1203 Exploitation for Client Execution T1204.001 User Execution: Malicious Link T1204.002 User Execution: Malicious File T1098 Account Manipulation T1505.004 Server Software Component: IIS Components T1542.003 Pre-OS Boot: Bootkit T1543.003 Create or Modify System Process: Windows Service T1547 Boot or Logon Autostart Execution T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1574.001 Hijack Execution Flow: DLL Search Order Hijacking T1134.002 Access Token Manipulation: Create Process with Token T1134.004 Access Token Manipulation: Parent PID Spoofing T1014 Rootkit T1027 Obfuscated Files or Information T1027.002 Obfuscated Files or Information: Software Packing T1027.005 Obfuscated Files or Information: Indicator Removal from Tools T1027.007 Obfuscated Files or Information: Dynamic API Resolution T1027.009 Obfuscated Files or Information: Embedded Payloads T1027.013 Obfuscated Files or Information: Encrypted/Encoded File T1027.016 Obfuscated Files or Information: Junk Code Insertion T1036 Masquerading T1036.003 Masquerading: Rename Legitimate Utilities T1036.004 Masquerading: Masquerade Task or Service T1036.005 Masquerading: Match Legitimate Name or Location T1036.007 Masquerading: Double File Extension T1036.008 Masquerading: Masquerade File Type T1055 Process Injection T1055.001 Process Injection: DLL Injection T1070 Indicator Removal T1070.003 Indicator Removal: Clear Command History T1070.004 Indicator Removal: File Deletion T1070.006 Indicator Removal: Timestomp T1112 Modify Registry T1140 Deobfuscate/Decode Files or Information T1218 System Binary Proxy Execution T1218.004 System Binary Proxy Execution: InstallUtil T1218.005 System Binary Proxy Execution: Mshta T1218.007 System Binary Proxy Execution: Msiexec T1218.010 System Binary Proxy Execution: Regsvr32 T1218.011 System Binary Proxy Execution: Rundll32 T1218.014 System Binary Proxy Execution: MMC T1220 XSL Script Processing T1221 Template Injection T1222 File and Directory Permissions Modification T1497 Virtualization/Sandbox Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks T1497.003 Virtualization/Sandbox Evasion: Time Based Checks T1553.002 Subvert Trust Controls: Code Signing T1562.001 Disable or Modify Tools T1562.004 Impair Defenses: Disable or Modify System Firewall T1564.001 Hidden Artifacts: Hidden Files and Directories T1574 Hijack Execution Flow T1574.013 Hijack Execution Flow: KernelCallbackTable T1620 Reflective DLL Injection T1622 Debugger Evasion T1003 OS Credential Dumping T1003.003 OS Credential Dumping: NTDS T1056 Input Capture T1056.001 Input Capture: Keylogging T1555 Credentials from Password Stores T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning T1010 Application Window Discovery T1012 Query Registry T1016 System Network Configuration Discovery T1033 System Owner/User Discovery T1046 Network Service Discovery T1049 System Network Connections Discovery T1057 Process Discovery T1083 File and Directory Discovery T1087.002 Account Discovery: Domain Account T1119 Automated Collection T1120 Peripheral Device Discovery T1124 Time Discovery T1482 Domain Trust Discovery T1614.001 System Location Discovery: System Language Discovery T1021 Remote Services T1021.001 Remote Services: Remote Desktop Protocol T1021.004 Remote Services: SSH T1534 Internal Spearphishing T1005 Data from Local System T1074.001 Data Staged: Local Data Staging T1560 Archive Collected Data T1560.002 Archive Collected Data: Archive via Library T1560.003 Archive Collected Data: Archive via Custom Method T1048.003 Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol T1052.001 Exfiltration Over Physical Medium: Exfiltration over USB T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage T1001.003 Data Obfuscation: Protocol or Service Impersonation T1008 Fallback Channels T1071.001 Application Layer Protocol: Web Protocols T1090 Proxy T1090.001 Proxy: Internal Proxy T1090.002 Proxy: External Proxy T1095 Non-Application Layer Protocol T1102 Web Service T1102.002 Web Service: Bidirectional Communication T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132.001 Data Encoding: Standard Encoding T1219.002 Remote Access Software: Remote Desktop Software T1571 Non-Standard Port T1573 Encrypted Channel T1573.001 Encrypted Channel: Symmetric Cryptography T1485 Data Destruction T1489 Service Stop T1491.001 Defacement: Internal Defacement T1529 System Shutdown/Reboot T1561.001 Disk Wipe: Disk Content Wipe T1561.002 Disk Wipe: Disk Structure Wipe T1583.001 Acquire Infrastructure: Domains T1583.004 Acquire Infrastructure: Server T1583.006 Acquire Infrastructure: Web Services T1584.001 Compromise Infrastructure: Domains T1584.004 Compromise Infrastructure: Server T1585.001 Establish Accounts: Social Media Accounts T1585.002 Establish Accounts: Email Accounts T1587.001 Develop Capabilities: Malware T1587.002 Develop Capabilities: Code Signing Certificates T1588.002 Obtain Capabilities: Tool T1588.003 Obtain Capabilities: Code Signing Certificates T1588.004 Obtain Capabilities: Digital Certificates T1608.001 Stage Capabilities: Upload Malware T1608.002 Stage Capabilities: Upload Tool T1589.002 Gather Victim Identity Information: Email Addresses T1591 Gather Victim Org Information T1591.004 Gather Victim Org Information: Identify Roles T1593.001 Search Open Websites/Domains: Social Media

Reporting

Research mentioning SafePay

Jul 13
Hipaa Journal

Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack

The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

SafePay fell by 77%, going from 97 victims to 22. SafePay is a centralized, non-RaaS operation whose DLS was marked inactive from mid-March 2026 through early April for unknown reasons.

Apr 23
Cyberdaily Au

Exclusive: SA genealogical research firm confirms cyber incident following SafePay ransom claims - Cyber Daily

SafePay was first observed in October 2024 and has claimed more than 450 victims since then. According to the group, it is not a ransomware-as-a-service (RaaS) operation. “SafePay ransomware has never provided and does not provide the RaaS,” SafePay said on its leak site.

Apr 22
Cyberdaily Au

Exclusive: Aussie passports compromised in alleged Favelle Favco data breach - Cyber Daily

A Malaysia-headquartered heavy crane company with offices in Australia has been listed as a ransomware victim by the SafePay cyber extortion group... According to the group, it is not a ransomware-as-a-service (RaaS) operation. “SafePay ransomware has never provided and does not provide the RaaS,” SafePay said on its leak site.

Apr 14
Shroudcloud

Chaos - ShroudCloud

Q1 2026 is dominated by Qilin (~1,302 trailing-12mo), Akira, LockBit5, and SafePay.

Mar 16
Cyberscoop

The ransomware economy is shifting toward straight-up data extortion | CyberScoop

The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub and Fireflame, according to Google. The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.

Mar 5
Osint Team

After LockBit: The Ransomware Market Never Shrinks | by privacyinsightsolutions.com | Mar, 2026 | OSINT Team

"Akira held 10.85%, INC Ransom 5.45%, Play 4.92%, and SafePay 4.60%."

Feb 6
Scworld

More than 25M compromised by Conduent hack | SC Media

"...data from over 25 million individuals confirmed to have been stolen as a result of a SafePay ransomware intrusion in January 2025..."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.