THREAT ACTOR

SafePay

7.9
THREAT LEVEL
EMERGENCE DATE
Sep 2024
CATEGORY
Independent Ransomware Operation
AFFILIATIONS

No confirmed affiliations; possible connections to former LockBit/ALPHV operators

DEscription

SafePay ransomware emerged in September-October 2024 as a sophisticated threat actor operating an independent ransomware operation that rapidly ascended to become the most active group globally by May 2025. The group employs double extortion tactics, leveraging modified LockBit source code while maintaining aggressive operational tempo with consistent 24-hour encryption timelines.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Independent ransomware operation (non-RaaS model)

While some sources incorrectly classify SafePay as RaaS due to its high operational volume, the group explicitly operates as an Independent Ransomware Operation, maintaining complete operational control without affiliate infrastructure. Technical analysis suggests possible connections to former LockBit, ALPHV, and INC Ransomware operators, though no confirmed affiliations exist. This closed model enables 100% revenue retention and eliminates vulnerabilities associated with affiliate networks, distinguishing SafePay from traditional RaaS operations despite achieving similar attack volumes.

Current Status: Highly active as of June 2025

Threat Level:
7.9

Origins and Methodology

Establishing itself as one of the most operationally efficient ransomware groups despite recent emergence, SafePay demonstrates sophisticated technical capabilities and immediate high-volume operations suggesting involvement of experienced threat actors rather than genuine newcomers. Security researchers note the group may be a rebrand of other well-known actors including LockBit, ALPHV, and INC Ransomware, which would explain their ability to attack in high volumes and at speed.

The methodology centers on rapid deployment and maximum pressure tactics. Consistently achieving full network encryption within 24 hours of initial access, SafePay operates significantly faster than industry averages. This compressed timeline reduces detection and response opportunities while maximizing operational success rates. Sophisticated infrastructure spans both traditional Tor networks and The Open Network (TON), representing innovative communication channel adoption.

Operational philosophy emphasizes complete independence, retaining 100% of ransom payments rather than sharing with affiliates like traditional RaaS operations. This model provides greater operational security and eliminates vulnerabilities associated with affiliate networks while maximizing per-attack profitability.

What is the Evolution of SafePay Ransomware?
0.1
Formation

First appearing in September-October 2024, initial attacks were observed by analysts in October 2024. The timing coincided with major law enforcement disruptions against LockBit and ALPHV operations, suggesting strategic market positioning.

0.2
EVOLUTION

SafePay's evolution demonstrates rapid operational maturation from newcomer to dominant force in the ransomware ecosystem. Moving beyond initial opportunistic attacks, sophisticated targeted campaigns now incorporate advanced evasion techniques and multi-platform infrastructure. By early 2025, tactics evolved to include dual-channel communications through both Tor and TON networks, a technical innovation rarely seen in ransomware operations.

0.3
Lineage/Connections

Technical analysis reveals SafePay's foundation built on leaked LockBit 3.0 source code from late 2022, incorporating custom modifications and techniques from ALPHV/BlackCat and INC Ransom operations. Cyrillic language killswitch functionality suggests potential Eastern European connections.

Which Unique Techniques Does SafePay Use?

SafePay employs multiple sophisticated initial access methods, demonstrating advanced operational sophistication through hybrid codebase incorporating elements from multiple ransomware families.

                                                                                                                                                                       

TECHNIQUE

DETAILS

Infection Vectors

Primary access comes through exploiting VPN misconfigurations, particularly Fortigate firewall implementations allowing local authentication while bypassing MFA. Additional vectors include purchasing valid credentials from dark web marketplaces and systematically targeting poorly secured RDP implementations. Legitimate remote management tools, particularly ScreenConnect, provide persistence mechanisms.

Target Selection

Strategic geographic concentration focuses on the United States as primary target, followed by Germany where SafePay accounts for significant ransomware victim percentages. Mid to large enterprises across professional services, construction, manufacturing, healthcare, education, and government sectors face targeting.

Operational Complexity

Advanced sophistication manifests through hybrid codebase incorporating elements from multiple ransomware families, rapid 24-hour deployment capability, and innovative TON network communications alongside traditional Tor infrastructure.

Key Features & Technical Details

FEATURE

DETAILS

Encryption Method

ChaCha20 symmetric encryption with partial file encryption capability

File Extension

Appends .safepay to encrypted files

Ransom Note

Drops readme_safepay.txt with TOR/TON communication links

Double Extortion

Data exfiltration before encryption with public release threats

Communication Channels

Dual-platform: Tor hidden services and The Open Network (TON)

Deployment Speed

24-hour timeline from initial access to full encryption

Killswitch

Cyrillic language detection to avoid CIS countries

Payment Method

Bitcoin exclusively

Operational Model

Independent operation with centralized control structure

Activities

Demonstrating remarkable operational tempo since emergence, SafePay established itself among the most prolific ransomware operations globally by mid-2025. Achieving the position of most active ransomware operation in May 2025, dozens of confirmed incidents occur monthly, accounting for significant portions of global ransomware attacks.

Which Industries Are Most Vulnerable to SafePay?

Professional services and construction represent SafePay's primary targets, experiencing the highest attack concentrations. Healthcare organizations face particular risk, aligning with broader industry trends of critical infrastructure targeting. Manufacturing and education sectors also experience significant targeting due to operational continuity requirements and constrained security budgets.

HAL Most Recent Attacks

Modus Operandi

SafePay operates with remarkable efficiency, consistently achieving full network compromise and encryption within 24 hours of initial access. The sophisticated multi-stage attack methodology begins with careful reconnaissance and credential acquisition, progresses through systematic privilege escalation and lateral movement, culminating in simultaneous data exfiltration and encryption deployment.

Details

Initial Access Brokers frequently provide entry points through VPN vulnerability exploitation (T1190), particularly targeting Fortigate firewalls that allow local authentication while bypassing MFA.  

SafePay actively purchases valid credentials (T1078) from dark web marketplaces and conducts systematic password spraying attacks against exposed RDP endpoints (T1133). This multi-vector approach ensures consistent access to target networks.

Details

Upon gaining access, ShareFinder.ps1 PowerShell scripts automatically map network shares and enumerate valuable data repositories. Native WinAPI calls provide real-time visibility into running processes and services, enabling targeted security tool identification and evasion.

Details

Establishes persistence through legitimate remote management tools, particularly ScreenConnect, which blends with normal administrative traffic. QDoor backdoor deployment provides redundant command and control capabilities and maintains access even if primary channels are discovered.

Details

Defense evasion incorporates Windows Defender disabling through SystemSettingsAdminFlows.exe LOLBin abuse without triggering alerts. Security processes and services are systematically terminated to neutralize endpoint protection. XOR string obfuscation and Cyrillic killswitch checking prevent analysis and avoid CIS country operations.

Additional LOLBins exploitation (T1202) leverages Regsvr32.exe for DLL execution while maintaining apparent legitimacy. CMSTPLUA COM interface exploitation provides reliable UAC bypass (T1548.002), while token impersonation with SeDebugPrivilege enables stealth privilege escalation.

Details

Credential harvesting employs Mimikatz for memory-based dumping, targeting LSASS process memory, cached domain credentials, and password stores across compromised systems.

Network share enumeration and domain configuration analysis expand the credential collection scope. Specialized stealware tools provide additional harvesting capabilities.

Details

C2 infrastructure spans both Tor hidden services and innovative TON network communications. Known C2 servers include 45.91.201.247, 77.37.49.40, 80.78.28.63, and 88.119.167.239, providing redundant communication channels resistant to takedown efforts.

Details

Lateral movement leverages RDP for network segment propagation, SMB/Admin share access for file distribution, PowerShell remoting for command execution, and legitimate administrative tool abuse.

Batch file automation accelerates deployment, while harvested credentials enable seamless authentication to VPN concentrators and remote management tools, extending the attack surface across diverse infrastructure.

Details

Data exfiltration utilizes FileZilla FTP transfers (T1048) for bulk data movement, Tor-based channels for anonymous transmission, and WinRAR compression (T1560.001) to reduce transfer sizes. ShareFinder.ps1 results guide selective targeting of high-value data, while post-exfiltration tool modification helps evade forensic detection.

Details

Persistence mechanisms include ScreenConnect RMM installation, QDoor backdoor deployment, registry modifications for autostart entries, and malicious service installation for system-level persistence.

Details

Attacks achieve full network encryption within 24 hours, destroying both physical and virtual backup systems while causing complete operational disruption across affected organizations.

Details

The adaptive encryption engine selects ChaCha20 for systems lacking AES-NI instruction sets or deploys AES-CBC with hardware acceleration when available. Elliptic Curve Cryptography protects symmetric keys from recovery attempts. Per-file unique key generation prevents bulk decryption, while password-protected execution prevents accidental deployment as a distinctive operational security feature.

Details

Double extortion tactics combine encryption with data theft threats. Aggressive 72-hour initial deadlines create urgency, while dual leak sites on both Tor and TON networks provide redundant platforms for publishing stolen data.

Details

Post-encryption activities systematically destroy recovery options through shadow copy deletion (T1490), boot configuration modification, security log clearing, and anti-forensics script deployment. Hypervisor and virtual machine targeting extends destruction beyond physical systems, ensuring comprehensive impact.

Indicators of Compromise (IOCs)

Key indicators help identify SafePay operations within networks, particularly specific file hashes, IP addresses, and registry paths tied to the ransomware infrastructure.

INDICATOR

DETAILS

File Hashes

SHA256: a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526 (SafePay ransomware binary)
SHA256: 921df888aaabcd828a3723f4c9f5fe8b8379c6b7067d16b2ea10152300417eae (QDoor backdoor)
SHA256: 6c1d36df94ebe367823e73ba33cfb4f40756a5e8ee1e30e8f0ae55d47e220a6a (bundled DLL component)

IP Addresses

45.91.201.247 (C2 server)
77.37.49.40 (C2 server)
80.78.28.63 (C2 server)
88.119.167.239 (QDoor C2)

Domains/URLs

iieavvi4wtiuijas3zw4w54a5n2srnccm2fcb3jcrvbb7ap5tfphw6ad.onion (negotiation site)
qkzxzeabulbbaevqkoy2ew4nukakbi4etnnkcyo3avhwu7ih7cql4gyd.onion (payment portal)
nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion (leak site)

File Paths

readme_safepay.txt (ransom note)
C:\ProgramData\<single digit>.bat (malicious batch files)
soc.dll (backdoor component)

Exploits and Vulnerabilities

SafePay actively exploits critical vulnerabilities in VPN infrastructure, particularly targeting Fortigate SSL VPN implementations. The exploitation methodology aligns with broader ransomware trends targeting vulnerable remote access systems.

Beyond specific CVEs, SafePay systematically targets configuration weaknesses including:

  • VPN authentication bypass through local authentication misconfigurations
  • Exposed management interfaces without proper access controls
  • Weak or default credentials on VPN gateways
  • Unpatched remote access systems with known vulnerabilities

Leveraging legitimate remote management tools post-compromise, particularly ScreenConnect and AnyDesk, maintains persistent access while evading detection.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

FortiOS SSL VPN Out-of-Bounds Write

CVE-2024-21762

9.8

Enables remote unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests

FortiOS SSL VPN Heap Buffer Overflow

CVE-2023-27997

9.8

Pre-authentication module vulnerability allows remote code execution through heap overflow exploitation