Emerging Threat Actor: SafePay Ransomware

SafePay has rapidly emerged as one of the most active and disruptive Ransomware-as-a-Service (RaaS) groups since its debut in November 2024, gaining momentum through frequent victim disclosures and high-pressure extortion tactics.  

While not definitively linked to any prior group, SafePay displays unique characteristics that distinguish it from other ransomware families—most notably, signs that its developers have borrowed elements from leaked LockBit source code.  

Despite its newcomer status, the group demonstrates a surprising level of technical maturity and operational discipline, suggesting it may be run by experienced threat actors. SafePay’s ransomware is based on a modified version of LockBit’s late-2022 code and maintains a high degree of sophistication and adaptability.  

Its operators and affiliates employ a wide range of TTPs, including exploiting known vulnerabilities in widely used enterprise software to gain initial access, abusing legitimate remote management tools for persistence, and deploying credential-harvesting tools like Mimikatz during post-exploitation.  

Encrypted files carry the “.safepay” extension, and ransom notes are titled "readme_safepay.txt." The group communicates with victims and leaks stolen data through infrastructure on both Tor and The Open Network (TON).

SafePay consistently applies a double extortion model, encrypting systems while exfiltrating sensitive data to increase leverage through the threat of public exposure and sustained operational disruption.  

Affiliates are permitted to launch attacks under the SafePay name, expanding the group’s reach and scale while the core operators retain strategic control.

Victimology spans a broad range of industries, including education, technology, healthcare, transportation, and manufacturing, with a clear focus on mid-sized to large enterprises.  

SafePay’s rapid growth in incident claims and leak site activity underscores its escalating presence in the ransomware ecosystem. Although exact ransom figures remain undisclosed, available evidence points to substantial demands aligned with the size and profile of targeted organizations.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.