A brand new ransomware menace has emerged as one among 2025’s most prolific cybercriminal operations, with SafePay ransomware claiming assaults towards 73 sufferer organizations in June alone, adopted by 42 extra victims in July.
This surge has positioned SafePay as a major menace actor that safety groups worldwide should perceive and put together to defend towards.
In contrast to conventional ransomware-as-a-service (RaaS) fashions that depend on affiliate networks, SafePay operates as a closed, impartial group that maintains strict operational safety.
The group’s rapid-fire assault methodology has confirmed remarkably efficient, with greater than 270 claimed victims documented all through 2025.
Their operations goal primarily mid-size and enterprise organizations throughout the US, Germany, Nice Britain, and Canada, specializing in industries vital to each day operations together with manufacturing, healthcare, and development.
Most affected industries (Supply – Bitdefender)
The group’s emergence will be traced again to September 2024, arising within the aftermath of great regulation enforcement operations that dismantled ALPHV (Black Cat) and severely disrupted LockBit’s infrastructure by Operation Cronos.
Bitdefender analysts recognized elements of the SafePay ransomware that complement functionalities related to LockBit, particularly LockBit Black, although the teams function with distinctly totally different methodologies and encryption processes.
SafePay demonstrates an alarming functionality to execute full assault chains inside 24-hour intervals, transferring from preliminary entry by encryption with devastating effectivity.
SafePay’s Victims Claimed Per Day (Supply – Bitdefender)
Their sufferer choice seems methodical, focusing on organizations with revenues sometimes round $5 million, although outliers embody entities with revenues exceeding $100 million and one sufferer surpassing $40 billion in income.
Encryption and Evasion Mechanisms
SafePay employs refined technical approaches that distinguish it from different ransomware households.
The malware makes use of the ChaCha20 encryption algorithm, implementing distinctive symmetric keys for every encrypted file whereas embedding extra keys straight inside the ransomware executable.
This dual-key strategy complicates restoration efforts and ensures that every sufferer’s encryption stays uniquely secured.
The ransomware demonstrates superior protection evasion capabilities, together with debugger detection avoidance and the flexibility to terminate processes related to anti-malware capabilities.
Upon execution, SafePay instantly begins eradicating quantity shadow copies to stop system restoration, then proceeds to encrypt recordsdata with the .safepay extension whereas deploying ransom notes named “readme_safepay.txt” in affected directories.
One notable technical attribute includes the malware’s geographic focusing on logic.
SafePay performs language keyboard detection to establish techniques utilizing Cyrillic keyboards, stopping execution on these techniques, suggesting potential Russian connections or alliances inside the menace actor ecosystem.
Enhance your SOC and assist your crew shield your online business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
