A new ransomware threat has emerged as one of the most aggressive cybercriminal operations of 2025, with SafePay ransomware claiming responsibility for over 265 successful attacks spanning multiple continents.
The group, which first appeared in September 2024 with limited activity targeting just over 20 victims, has dramatically escalated its operations since early 2025, establishing itself as a formidable force in the global ransomware landscape.
Unlike traditional ransomware-as-a-service operations that rely on affiliate networks, SafePay operates as a centralized threat actor, conducting attacks directly through their own infrastructure and personnel.
This operational model has enabled the group to maintain tighter control over their campaigns while executing sophisticated double-extortion schemes that combine data encryption with threatened publication of stolen sensitive information on dark web leak sites.
The geographic distribution of SafePay’s victims reveals a calculated targeting strategy focused primarily on developed economies.
The United States bears the brunt of the attacks with 103 confirmed victims representing nearly 40% of all known cases, followed by Germany with 47 documented incidents.
Additional targets span across the United Kingdom, Australia, Canada, and various countries throughout Latin America and Asia-Pacific regions.
SOCRadar analysts identified that SafePay deliberately avoids targeting organizations within Commonwealth of Independent States countries through an embedded language detection mechanism.
The malware contains hardcoded checks that cause immediate termination if the infected system is configured for Armenian, Azerbaijari, Belarusian, Georgian, Kazakh, Russian, or Ukrainian languages, suggesting the operators seek to avoid prosecution within these jurisdictions.
The ransomware demonstrates particular effectiveness against manufacturing, technology, education, and business services sectors, though no industry appears immune to its reach.
Healthcare, transportation, finance, and public services organizations have also fallen victim to the group’s operations, indicating an opportunistic rather than sector-specific targeting approach.
Advanced Persistence and Evasion Mechanisms
SafePay’s technical sophistication becomes apparent through its multi-layered persistence and defense evasion strategies.
The malware employs legitimate remote access tools such as ConnectWise ScreenConnect to maintain long-term network presence, installing these applications as persistent services that blend seamlessly with legitimate administrative activities.
This approach significantly reduces the likelihood of detection by endpoint protection systems, particularly when attackers possess valid credentials for installation. The group’s defense evasion capabilities extend beyond simple antivirus bypass techniques.
SafePay operators systematically disable Microsoft Defender and other security solutions through administrative commands and Group Policy modifications, adding folder exclusions and disabling real-time protection features.
The malware itself utilizes encrypted strings, dynamic loading, and sophisticated packing mechanisms to evade signature-based detection systems.
# Example command used to disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Add-MpPreference -ExclusionPath "C:\Windows\Temp"Registry persistence mechanisms ensure the malware survives system reboots and maintains access even after initial compromise vectors are discovered and remediated.
The threat actors create startup entries and modify system configurations to guarantee their tools remain active, while simultaneously deploying custom backdoors like QDoor for additional command execution and network tunneling capabilities.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
