Unsafe
Unsafe is a ransomware threat actor and ransomware-as-a-service operation active since at least late 2022.
Profile source: Mallory opens in a new tabUnsafe
Family profile
Unsafe is a ransomware threat actor and ransomware-as-a-service operation active since at least late 2022. The group is associated with double-extortion activity, combining data theft with threats to publish stolen information and, in some cases, ransomware deployment. Reporting indicates the actor was relatively quiet during 2024 and 2025 before re-emerging in 2026.
Unsafe has been linked to intrusions affecting organizations in multiple countries, with observed targeting including Germany, the United States, Switzerland, and France. Victimology spans sectors such as financial services and business services. Publicly reported activity includes claims of compromise against high-profile enterprises and the use of a leak site to pressure victims through public exposure.
The group’s tradecraft has been described as including exploitation of vulnerabilities, efforts to evade or disable security controls, and anti-forensic behavior intended to remove traces of activity from compromised environments. Unsafe has also been associated in reporting with the use of established malware families and post-compromise actions consistent with data staging and exfiltration. Claimed breach evidence has included database extracts and internal records, indicating an emphasis on stealing sensitive corporate and employee information for extortion leverage.
Unsafe is best characterized as a financially motivated cybercriminal ransomware actor rather than a confirmed nation-state operation. The alias most commonly reflected in reporting is Unsafe.
Ransomware.live
Operational record
Ransomware.live