Discovery Enum
- Invoke-ShareFinder
SafePay is a privately operated ransomware family and associated extortion operation that emerged in late 2024 and rapidly became one of the more active ransomware threats observed in 2025 and early 2026.
Profile source: Mallory opens in a new tabSafePay
SafePay is a privately operated ransomware family and associated extortion operation that emerged in late 2024 and rapidly became one of the more active ransomware threats observed in 2025 and early 2026. The operation publicly states that it is not a ransomware-as-a-service program, and reporting consistently characterizes it as a centralized, non-RaaS actor. SafePay uses a double-extortion model, stealing victim data before encrypting systems and threatening publication of stolen material to pressure payment.
SafePay has targeted organizations across multiple sectors and geographies, with repeated reporting of activity against healthcare providers, healthcare-related businesses, managed service providers, small and midsize businesses, and other enterprises. Victims have been reported in North America, Europe, and Australia, with Germany and the United States repeatedly identified among its principal target countries. Publicly attributed incidents include intrusions affecting healthcare entities, technology and distribution firms, industrial organizations, and government service providers.
Observed intrusion activity shows SafePay relying on conventional but effective operator-driven tradecraft rather than unusually advanced techniques. In at least one investigated case, initial access was obtained through password spraying against a VPN gateway, followed by a lengthy dwell period, privilege escalation to domain administrator, discovery of accessible shares, staging and compression of stolen data, exfiltration, and subsequent encryption. Operators have also searched for backup infrastructure and deleted shadow copies to hinder recovery. Reporting indicates SafePay has at times focused encryption activity inside guest virtual machines rather than directly encrypting hypervisors, suggesting stronger support for Windows environments than for native ESXi-level encryption in the observed period.
The SafePay encryptor is a custom Windows ransomware strain written in C. Reported technical characteristics include asynchronous file encryption using Overlapped I/O, configurable partial encryption, and use of AES-CBC when AES-NI is available or ChaCha20 otherwise, with Curve25519 protecting per-file key material. Analysts have noted design similarities to several established ransomware families but assessed the malware as likely independently developed rather than a direct derivative.
SafePay has been linked to major data theft and disruption events, including incidents involving healthcare-related organizations and large service providers where large volumes of personal, medical, financial, employment, and business data were reportedly stolen. Its activity profile, victim volume, and repeated use in high-impact extortion cases place it among the notable ransomware threats of the 2025–2026 period.
Ransomware.live
Ransomware.live
Reported operators
The SafePay ransomware group is a relatively new group, first appearing on our radar in November 2024. The group follows a double-extortion scheme, both exfiltrating data and encrypting it on victim machines using their own SafePay ransomware.
MITRE ATT&CK
Reporting
The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.
SafePay fell by 77%, going from 97 victims to 22. SafePay is a centralized, non-RaaS operation whose DLS was marked inactive from mid-March 2026 through early April for unknown reasons.
SafePay was first observed in October 2024 and has claimed more than 450 victims since then. According to the group, it is not a ransomware-as-a-service (RaaS) operation. “SafePay ransomware has never provided and does not provide the RaaS,” SafePay said on its leak site.
A Malaysia-headquartered heavy crane company with offices in Australia has been listed as a ransomware victim by the SafePay cyber extortion group... According to the group, it is not a ransomware-as-a-service (RaaS) operation. “SafePay ransomware has never provided and does not provide the RaaS,” SafePay said on its leak site.
Q1 2026 is dominated by Qilin (~1,302 trailing-12mo), Akira, LockBit5, and SafePay.
The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub and Fireflame, according to Google. The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.
"Akira held 10.85%, INC Ransom 5.45%, Play 4.92%, and SafePay 4.60%."
"...data from over 25 million individuals confirmed to have been stolen as a result of a SafePay ransomware intrusion in January 2025..."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.