Ransomware Intelligence

safepay

Ransomware group profile

232Victims
RussiaSource country
85Impact score

Description

SafePay is a financially motivated ransomware group that emerged in September 2024, known for its rapid encryption of victim systems within 24 hours. Unlike RaaS models, it operates as a centralized entity, executing its campaigns directly with a focus on monetary gain rather than political motives. The group's tactics involve aggressive victim engagement and strong extortion strategies, including a double extortion model.

Key insights

  • Gains initial access through exploitation of vulnerabilities in VPNs and RDP endpoints, stolen credentials, and social engineering.
  • Utilizes a custom ransomware strain that encrypts files with a '.safepay' extension and includes ransom notes.
  • Employs double extortion tactics by threatening to publish stolen data if ransoms are not paid.
  • Often engages in aggressive victim communication, including direct phone calls to coerce payment.
  • Exploits vulnerabilities like CVE-2024-21762 for unauthorized code execution.
  • Targets sectors such as healthcare, construction, and information services with over 450 documented victims by 2026.

Industries

EducationEnergy & UtilitiesFinancial ServicesGovernment & DefenseHealthcareHospitalityManufacturingOtherProfessional ServicesRetail & E-CommerceTechnologyTransportation

Threat Level & Status Breakdown

For safepay · Based on incidents in selected period

4.2threat level
Aggressiveness10/ 10
Lethality0/ 10
Criticality2.3/ 10

Status Breakdown

Claimed100.0%232
First seenJun 2025
Last seenJun 2026
Avg ransom
Payment rate
Statusactive
Sophistication0
Last updatedJun 18, 2026

Recent activity

Monthly attack count for safepay in the selected period

232Total attacks
59peak in Dec
17.8avg / month
↑ 9 vs first month
JunJulAugSepOctNovDecJanFebMarAprMayJun015304560

Intelligence

IOCs, YARA/Sigma rules, and related families for safepay

  1. 254295e7d4273570bcbe84ee1fd7381e22fc0706
  2. 1c65d2a20ccf6c6eccdec1cb4a97935c
  3. 7ba3b719d9215945fa02c9db891446c5
  4. a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526
  5. b41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d
  6. 4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d
  7. b1022afe74471f945b18efed4366598bc6abb192
  8. 02f2f15cbcda53414b11d3ac67023b03b9b5bb14
  9. 66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd
  10. 4582eab01849c98034677ac425f93a185258dbfa
  11. d1f621b82822b544153f6b531e51a611
  12. fcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e
  13. 12139246b8c5232d6d074df37acddc20f0bc233e42ed8eb00dfe2af5d3de3275
  14. b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb
  15. a6dcdfc8e97616c07549290950e78b145883e532
  16. 327b8b61eb446cc4f710771e44484f62b804ae3d262b57a56575053e2df67917
  17. a92e8648403de30a64d654234a8094d8
  18. 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
  19. e93d5b6993a757452bc5cac0975aeb6f
  20. 648d36439c4adba0d6ec4c169860da175ab2ac9c
  21. 7c4f7bb84d1ae8d9414fc60b4011d330
  22. 80261758bde39422b73f7856bfa142e0
  23. 5994143ba2cef357e43a12a84ae6d6a9
  24. aeba4ece8c4bf51d9761e49fad983967e76c705a06999c556c099f39853f737c
  25. f292c0911456c1d9c40d5740c7d3997f
  26. c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44
  27. b498a2683640c983bb069fa2ea9e67cef4a3797d
  28. 0a42e8cc7705921aa46b14a98d3c01fd6dcf9d11
  29. 6bba98d7c4ceaabb448052ced50373074e64d6ffac49060577277abfb88c314f
  30. 3799f2424918a955997cb23c96690b2d2dcdbac5490bd0680c6749d1e48b32a5
View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for safepay

CVE-2024-55591
CVE-2024-21762
Collection

T1560.001

Archive via Utility

Credential Access

T1003

OS Credential Dumping

Defense Evasion

T1089

Disabling Security Tools

T1202

Indirect Command Execution

Discovery

T1135

Network Share Discovery

Execution

T1059

Command and Scripting Interpreter

Impact

T1486

Data Encrypted for Impact

Persistence

T1071_1

Application Layer Protocol

Privilege Escalation

T1548.002_1

Bypass User Account Control

Victims(200)

CompanyDomainCountryIndustryStatusDiscovered
seinordovest.itseinordovest.itIT ItalyEnergy & Utilities
Claimed
2 days ago
harcourts.netharcourts.netAU AustraliaRetail & E-Commerce
Claimed
2 days ago
zaunsysteme.dezaunsysteme.deDE GermanyManufacturing
Claimed
2 days ago
brscappuccio.itbrscappuccio.itIT ItalyRetail & E-Commerce
Claimed
2 days ago
gut-heckenhof.degut-heckenhof.deDE GermanyOther
Claimed
2 days ago
hughstirling.co.ukhughstirling.co.ukDE GermanyProfessional Services
Claimed
4 days ago
tokyocivil.co.jptokyocivil.co.jpJP JapanOther
Claimed
4 days ago
kawaius.comkawaius.comUS United StatesManufacturing
Claimed
4 days ago
musenet.co.jpmusenet.co.jpJP JapanTechnology
Claimed
4 days ago
bautz-maschinenbau.debautz-maschinenbau.deDE GermanyManufacturing
Claimed
4 days ago
aquaclean.comaquaclean.comES SpainRetail & E-Commerce
Claimed
4 days ago
hoodriversheriff.comhoodriversheriff.comUS United StatesGovernment & Defense
Claimed
4 days ago
iql-nog.comiql-nog.comES SpainManufacturing
Claimed
17 days ago
tavolaspa.comtavolaspa.comIT ItalyHospitality
Claimed
18 days ago
parsa-beauty.deparsa-beauty.deDE GermanyRetail & E-Commerce
Claimed
18 days ago
soraris.itsoraris.itIT ItalyTechnology
Claimed
18 days ago
lcnet.eulcnet.euDE GermanyTechnology
Claimed
18 days ago
verzolla.comverzolla.comIT ItalyManufacturing
Claimed
18 days ago
compactmould.comcompactmould.comCA CanadaManufacturing
Claimed
18 days ago
eitecpro.co.jpeitecpro.co.jpJP JapanTechnology
Claimed
25 days ago

Page 1 of 10

Affected countries(58)

Countries where this group has been reported to target or leak victims.

🇦🇪United Arab EmiratesAnguilla🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇧Barbados🇧🇪BelgiumBermuda🇧🇷Brazil🇨🇦Canada🇨🇭Switzerland🇨🇳China🇨🇴ColombiaCuraçao🇨🇾Cyprus🇨🇿Czech Republic🇩🇪Germany🇩🇰Denmark🇩🇴Dominican Republic🇩🇿Algeria🇪🇸Spain🇫🇮Finland🇫🇷France🇬🇧United Kingdom🇬🇷Greece🇬🇹Guatemala🇭🇰Hong Kong🇭🇷Croatia🇮🇩Indonesia🇮🇪Ireland🇮🇱Israel🇮🇳India🇮🇹Italy🇯🇲Jamaica🇯🇵Japan🇰🇭Cambodia🇲🇦Morocco🇲🇽Mexico🇲🇾Malaysia🇳🇱Netherlands🇳🇿New Zealand🇵🇦Panama🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇱PolandPuerto Rico🇵🇹Portugal🇵🇾Paraguay🇷🇴RomaniaRussian Federation🇸🇪Sweden🇸🇬Singapore🇸🇰Slovakia🇸🇻El Salvador🇹🇷TurkeyTaiwan, Province of China🇺🇸United States