Inside SafePay: Analyzing the New Centralized Ransomware Group

Picus Labs | 6 MIN READ

CREATED ON January 07, 2026

In late 2024 and throughout 2025, a sophisticated ransomware group known as SafePay emerged, rapidly escalating its operations to become a significant global threat. Unlike the dominant Ransomware-as-a-Service (RaaS) models, SafePay operates as a centralized, closed group, maintaining strict control over its infrastructure, negotiations, and profits. This operational security (OPSEC) strategy minimizes the risk of code leaks and law enforcement infiltration that plagued predecessors like LockBit and ALPHV [1].

The group utilizes a double extortion technique, exfiltrating sensitive data, such as financial records and intellectual property, before encrypting systems. Victims are pressured via a data leak site on the Tor network, which lists organizations that fail to pay the ransom. Attacks are characterized by their speed, often transitioning from initial access to encryption within 24 hours [2].

How SafePay Ransomware Works?

SafePay employs a modular and methodical attack chain. The ransomware binary is a native Windows PE32 DLL (often disguised with fake compilation timestamps) [3].

Initial Access

Attackers typically gain entry through compromised credentials, often purchased from initial access brokers or obtained via brute-force attacks. These credentials are used to exploit valid accounts on VPN gateways, Remote Desktop Protocol (RDP) servers, and other edge devices. In some observed incidents, misconfigured firewalls, specifically FortiGate devices allowing local account authentication without Multi-Factor Authentication (MFA), served as the entry point.

Once inside, the threat actors may deploy backdoors for persistence. Investigations have identified the use of QDoor (a backdoor associated with the BlackSuit group) and legitimate remote access tools like ScreenConnect.

Discovery and Lateral Movement

Upon establishing a foothold, the attackers initiate network discovery to identify valuable assets and file shares. An observed tool is ShareFinder.ps1 (specifically the Invoke-ShareFinder command).

Lateral movement is facilitated by standard administrative utilities and Living-off-the-Land Binaries (LOLBins). The group leverages PsExec and WinRM to execute commands on remote systems [4]. A standard command to execute a process on a remote host using PsExec might look like:

PsExec.exe \\TARGET_IP -u Domain\Admin -p Password cmd.exe

Defense Evasion

SafePay actively neutralizes security defenses before deploying the encryptor. This involves terminating processes associated with antivirus software, databases, and backup solutions.

The malware contains a hardcoded, encrypted list of services and processes to kill. Observed targets include [3]:

Processes: sql, oracle, firefox, excel, onenote, outlook, steam, notepad, msaccess, winword, encsvc, ocautoupds.
Services: vss, sqlsvc, msexchange, Sophos, Veeam, backup, GxVss.

To prevent recovery, the ransomware deletes Volume Shadow Copies and modifies boot configurations using the following commands [3]:

/c vssadmin delete shadows /all /quiet
/c wmic shadowcopy delete
/c bcdedit /set {default} bootstatuspolicy ignoreallfailures
/c bcdedit /set {default} recoveryenabled no

Additionally, the malware may attempt to bypass User Account Control (UAC) using the CMSTPLUA COM interface to elevate privileges.

Data Exfiltration

Prior to encryption, data is harvested and staged. The group targets specific file types (e.g., .docx, .pdf, .xlsx) and avoids system files. Data is archived using WinRAR and then exfiltrated. Tools such as FileZilla, Rclone, and 7-Zip have been observed during this phase. The attackers use complex command-line arguments to archive data while excluding non-essential file types [3]:

WinRAR.exe a -v5g -ed -r -tn1000d -m0 -mt5 -x*.rar -x*.JPEG -x*.RAW -x*.PSD -x*.TIFF -x*.BMP -x*.GIF -x*.JPG -x*.MOV -x*.pst -x*.FIT -x*.FIL -x*.mp4 -x*.avi -x*.mov -x*.mdb -x*.iso -x*.exe -x*.dll -x*.bak -x*.msg -x*.png -x*.zip -x*.ai -x*.7z -x*.DPM -x*.log -x*.dxf -x*.insp -x*.upd -x*.db -x*.dwg -x*.nc1 -x*.metadata -x*.dg -x*.inp -x*.dat -x*.TIFF -x*.tiger -x*.pcp -x*.rvt -x*.rws -x*.nwc -x*.tif -x*.frx -x*.dyf -x*.rcs -x*.diff C:\[redacted].rar \\[redacted]\C$\Users\

Ransomware Execution and Encryption

The ransomware payload is often a DLL executed via regsvr32.exe or rundll32.exe.

Also, the malware refuses to run without specific flags, particularly the password argument, which is used to decode additional information in code [3]. Below are the most remarkable arguments it accepts:

-pass= : Mandatory. Password (32 bytes) to decode additional information in code.

-enc= : Encryption percentage (1-9). Value is multiplied by 10 (e.g., 5 = 50%).

-network: Initiates network propagation to encrypt shared folders.

-selfdelete: Deletes the malware executable after encryption completes.

The encryption scheme utilizes a hybrid approach:

File Encryption: Files are encrypted using the AES or ChaCha20 algorithm [3] [1].
Key Management: A unique symmetric key is generated for each file. This key is then encrypted using RSA or x25519 (Elliptic Curve Diffie-Hellman) and appended to the file footer.
File Structure: Files are encrypted in blocks (intermittent encryption) to speed up the process. A metadata block (typically 65 bytes) containing the encrypted key and validation hash is added to the end of the file.
Renaming: Encrypted files receive the .safepay extension.

The malware includes a "kill switch" that checks the system's language settings. If a Cyrillic keyboard layout is detected (e.g., Russian, Ukrainian, Belarusian), the malware terminates execution.

How Picus Simulates SafePay Ransomware Attacks?

We also strongly suggest simulating SafePay Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the SafePay Ransomware Campaign:

Threat ID	Threat Name	Attack Module
25266	SafePay Ransomware Campaign	Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

SafePay operates as a centralized, closed ransomware group rather than a Ransomware-as-a-Service model, allowing for strict control over infrastructure and minimizing operational security risks.
The group utilizes a double extortion strategy by exfiltrating sensitive financial and intellectual property data before encrypting systems, with attacks often completing within 24 hours.
Initial access is primarily achieved through compromised credentials on VPN gateways and RDP servers or by exploiting misconfigured firewalls that lack Multi-Factor Authentication.
Defense evasion techniques include terminating processes associated with antivirus and backup solutions, deleting Volume Shadow Copies, and modifying boot configurations to prevent system recovery.
The ransomware binary requires specific command-line arguments to function, such as a mandatory 32-byte password to decode information.
Data exfiltration involves harvesting specific file types and archiving them with WinRAR using complex exclusion parameters, followed by transfer via tools like FileZilla and Rclone.
The ransomware features a built-in kill switch that terminates execution if it detects a Cyrillic keyboard layout on the infected system.

References

[1] J. Brown, “SafePay Ransomware: How a Non-RaaS Group Executes Rapid Fire Attacks,” Bitdefender Blog. Accessed: Dec. 16, 2025. [Online]. Available: https://www.bitdefender.com/en-au/blog/businessinsights/safepay-ransomware-attacks-ttps

[2] “SafePay Ransomware: An Emerging Threat in 2025,” Check Point Software. Accessed: Dec. 16, 2025. [Online]. Available: https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/safepay-ransomware/

[3] Acronis Threat Research Unit, “SafePay ransomware: The fast-rising threat targeting MSPs,” Acronis. Accessed: Dec. 16, 2025. [Online]. Available: https://www.acronis.com/en/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/

[4] R. Li, J. Moutos, and T. T. Intelligence, “SafePay ransomware explained: IOCs, TTPs, and defense strategies.” Accessed: Dec. 16, 2025. [Online]. Available: https://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies

SafePay is a sophisticated ransomware group that emerged in late 2024 and operates as a centralized, closed organization. The group maintains strict control over its infrastructure, negotiations, and profits rather than using a Ransomware-as-a-Service model. This strategy allows the attackers to minimize operational security risks and avoid the code leaks and law enforcement issues that have plagued other ransomware operations.

SafePay operates as a centralized and closed group rather than using a Ransomware-as-a-Service model. This structure allows the group to maintain strict control over infrastructure, negotiations, and profits while minimizing operational security risks like code leaks. This approach reduces the likelihood of law enforcement infiltration that has affected other groups such as LockBit and ALPHV.

The group frequently uses compromised credentials obtained from initial access brokers or brute-force attacks. These credentials facilitate entry through valid accounts on VPN gateways and Remote Desktop Protocol servers. In some cases, misconfigured edge devices, specifically FortiGate firewalls that allow local account authentication without Multi-Factor Authentication, serve as the entry point for the attackers.

The malware actively terminates processes associated with antivirus software, databases, and backup solutions before encryption. It deletes Volume Shadow Copies and modifies boot configurations to hinder system recovery. The ransomware also contains a hardcoded list of services and processes to kill, such as those related to SQL, Sophos, and Veeam, to ensure the attack proceeds uninterrupted.

SafePay employs a hybrid encryption approach using AES or ChaCha20 algorithms for file encryption. A unique symmetric key is generated for each file, which is then encrypted using RSA or x25519 and appended to the file footer. The malware uses intermittent encryption to accelerate the process, and renames affected files with the .safepay extension.

Yes, the group utilizes a double extortion technique. Before encryption occurs, the attackers harvest and stage sensitive data, such as financial records and intellectual property. The group targets specific file formats like documents and spreadsheets while avoiding system files. This data is archived using WinRAR and exfiltrated using tools such as FileZilla, Rclone, and 7-Zip.

After establishing a foothold, the group uses standard administrative utilities and Living-off-the-Land Binaries to move through the network. The attackers leverage tools like PsExec and WinRM to execute commands on remote systems. Network discovery is often performed using scripts like ShareFinder.ps1 to identify valuable assets and file shares across the compromised environment.

The Picus Security Validation Platform enables organizations to simulate SafePay Ransomware Attacks to test the effectiveness of security controls against real-life threats. The Picus Threat Library includes specific threats for the SafePay Ransomware Campaign, allowing users to obtain actionable mitigation insights. Users can also test defenses against hundreds of other ransomware variants within minutes by utilizing a 14-day free trial of the Picus Platform.