A brand new ransomware risk has emerged as one of the formidable adversaries within the cybersecurity panorama, demonstrating unprecedented progress and class in its assault methodology.
SafePay ransomware, which first appeared in 2024, has quickly developed from a comparatively unknown entity to one of the energetic ransomware teams globally, claiming over 200 victims worldwide in simply the primary quarter of 2025.
The malware primarily targets managed service suppliers (MSPs) and small-to-midsize companies (SMBs) throughout numerous industries, using a mixture of Distant Desktop Protocol (RDP) and Digital Non-public Community (VPN) intrusion strategies to penetrate organizational networks.
The ransomware group operates with a centralized management construction, distinguishing itself from the standard ransomware-as-a-service (RaaS) mannequin employed by many modern risk actors.
This operational method permits SafePay to keep up direct oversight of its infrastructure, sufferer negotiations, and assault execution, leading to extra coordinated and efficient campaigns.
The group’s fast ascension to prominence was highlighted by its involvement within the high-profile assault towards Ingram Micro, a world distributor serving 1000’s of companions and MSPs, demonstrating the malware’s functionality to disrupt essential provide chain infrastructure.
Acronis analysts recognized important similarities between SafePay and the notorious LockBit ransomware household, significantly the LockBit 3.0 builder whose supply code was leaked in 2022.
The technical evaluation reveals that SafePay employs basic but extremely efficient ways, together with the disabling of endpoint safety programs, deletion of shadow copies, and systematic clearing of system logs to suppress detection and incident response capabilities.
The malware’s persistence mechanisms and evasion strategies showcase a classy understanding of enterprise safety architectures and defensive measures.
The ransomware manifests as a PE32 DLL file with a intentionally falsified compilation timestamp, requiring particular execution parameters to operate correctly. SafePay implements a double extortion mannequin, combining information exfiltration with file encryption to maximise strain on victims.
The malware’s technical sophistication is obvious in its use of living-off-the-land binaries, which permits it to mix seamlessly with reputable system processes and evade conventional signature-based detection strategies.
An infection Mechanism and Knowledge Exfiltration
SafePay’s an infection mechanism depends closely on compromised RDP connections and VPN credentials, although the precise strategies of credential acquisition stay unclear.
Assault circulation (Supply – Acronis)
As soon as contained in the goal community, the malware executes a rigorously orchestrated sequence of operations designed to maximise information assortment whereas minimizing detection.
The ransomware employs the ShareFinder.ps1 script, sourced from an open-source PowerView challenge, to enumerate all accessible community shares inside the native area.
This reconnaissance section permits the malware to determine high-value targets and map the community infrastructure comprehensively.
The info assortment course of makes use of WinRAR with particular command-line parameters to archive delicate recordsdata whereas excluding sure file sorts to optimize storage and transmission effectivity.
The archiving command systematically excludes multimedia recordsdata, executables, and different non-critical information codecs, focusing as a substitute on paperwork, databases, and configuration recordsdata that usually comprise helpful enterprise info.
Following the archiving course of, SafePay deploys FileZilla shopper software program to exfiltrate the compressed archives to command-and-control servers, after which each WinRAR and FileZilla are systematically faraway from the compromised programs to get rid of forensic proof.
The ransomware’s encryption routine employs a sturdy mixture of AES and RSA algorithms, producing distinctive 32-byte AES keys for every file earlier than encrypting these keys with RSA public key cryptography.
This dual-layer encryption method ensures that even when one element is compromised, the general safety of the encrypted information stays intact.
SafePay appends the .safepay extension to encrypted recordsdata and requires a 32-byte password for full execution, implementing a number of safeguards towards evaluation and reverse engineering makes an attempt.
Examine reside malware habits, hint each step of an assault, and make sooner, smarter safety choices -> Strive ANY.RUN now
