What’s the SafePay ransomware?
SafePay is a comparatively new ransomware menace that was first noticed round September 2024. Like different ransomware, SafePay encrypts victims’ recordsdata in order that they can’t be accessed, after which calls for the fee of a cryptocurrency ransom for his or her restoration. As a part of a “double extortion” tactic, the hackers behind SafePay additionally steal knowledge from affected organisations and threaten to publish it on their darkish net leak website if a ransom will not be paid.
What makes SafePay uncommon?
Most fashionable ransomware gangs function a Ransomware-as-a-Service (RaaS) mannequin, the place associates are allowed to deploy the ransomware in return for a proportion of the proceeds they handle to extort. Nonetheless, SafePay doesn’t function like this. As an alternative, it seems to not provide itself to associates, however as an alternative the identical group develops and deploys the ransomware themselves moderately than relying upon others.Â
Certainly, a banner on SafePay’s darkish net leak website says:
SAFEPAY RANSOMWARE HAS NEVER PROVIDED AND DOES NOT PROVIDE THE RAAS
Why would they not function as a ransomware-as-a-service mannequin? Aren’t they turning their again on quite a lot of money?
Whereas it’s true that SafePay could also be closing the door on affiliate revenue, it does provide the advantage of higher operational safety and tighter management of how its ransomware is used.
Fascinating. So, why is SafePay within the information?
A just lately revealed menace report launched by safety specialists at NCC Group revealed that SafePay was at present probably the most lively ransomware group. Within the month of Might 2025 alone, 70 ransomware assaults have been linked to Safepay, accounting for 18% of the whole.
Â
In a sign of the ransomware group’s elevated exercise, this was the primary time that SafePay had appeared in NCC Group’s prime 10 listing of menace actors.
What has made SafePay so profitable so rapidly?
The reply to that query will not be clear, however it’s suspected that SafePay could also be intently associated to different infamous ransomware teams, together with LockBit, BlackCat, and INC Ransomware.
In different phrases, the oldsters behind SafePay will not be new to the scene?
Appropriate. If the hyperlinks to different infamous ransomware gangs are discovered to be true, it could imply that these are cybercriminals who’re skilled in extorting cash out of their victims, and have the sources to make a big impression.
Which firms have been hit by SafePay?
UK telematics enterprise Microlise, which gives automobile monitoring companies to the likes of DHL and Serco, revealed that it had been hit by ransomware in October 2024, and was one in all SafePay’s first publicised victims after the theft of 1.2TB of knowledge. Different victims have included a North Carolina anatomic pathology lab, which was breached in January 2025 in an assault that noticed the theft of data associated to over 200,000 sufferers, together with names, birthdates, addresses, medical insurance particulars, and medical therapy knowledge.
Isn’t any-one protected from being hit by SafePay ransomware?
Nicely, truly, sure, some individuals are. The SafePay ransomware is programmed to verify the language settings of the pc it’s working on, and if it spots the system is working any of the next languages, it should instantly cease working with out inflicting any injury: If the system language matches any specified languages, the malware will instantly terminate. An entire listing of languages checked may be seen beneath:
- Armenian
- Azerbaijani (Cyrillic)
- Belarusian
- Georgian
- Kazakh
- Russian
- Ukrainian
Why would the ransomware need to try this?
Two instantly causes leap to thoughts. One is, as an example, that the ransomware doesn’t need to rely – say – Russian companies amongst its unintended victims, in worry that native legislation enforcement companies would possibly come after it.
Is sensible. What different purpose may there be?
Nicely, perhaps the ransomware authors’ themselves run computer systems that are configured to make use of these languages. They might hardly need to develop into unintended victims of SafePay themselves, would they?
I assume not. So, how can my enterprise defend itself from the SafePay ransomware? I do not assume it could be sensible to vary the language settings of all our PCs to Russian.
SafePay is thought for breaking into organisations by utilizing stolen VPN or RDP credentials. It has not been reported to have used phishing methods steadily seen in lots of different ransomware assaults. Due to this fact, organisations that fear they is likely to be focused could be sensible to implement multi-factor authentication on all distant entry factors, disable unused RDP or VPN entry solely, and use IP allowlists or geofencing the place potential. As well as, we advocate all firms comply with our common recommendation for defending towards ransomware assaults, which incorporates ideas comparable to:
- Making safe off-site backups.
- Operating up-to-date safety options and guaranteeing that your computer systems are protected with the newest safety patches towards vulnerabilities.
- Utilizing hard-to-crack distinctive passwords to guard delicate knowledge and accounts, in addition to enabling multi-factor authentication.
- Encrypting delicate knowledge wherever potential.
- Decreasing the assault floor by disabling performance that your organization doesn’t want.
- Educating and informing workers concerning the dangers and strategies utilized by cybercriminals to launch assaults and steal knowledge.
Editor’s Observe: The opinions expressed on this and different visitor creator articles are solely these of the contributor and don’t essentially replicate these of Tripwire.
