SafePay Ransomware
SafePay is an emerging double-extortion ransomware operation known for its LOLBins-heavy attack methodology and rapid 24-hour attack cycle from initial access to encryption. Unlike most modern ransomware, SafePay does NOT operate as RaaS, maintaining centralized control with consistent TTPs across all attacks.
Critical Timing Window
SafePay consistently achieves full network encryption within 24 hours of initial access. Rapid detection and response is essential—if initial access indicators are detected, assume the clock is already running.
SafePay is a rapidly emerging ransomware threat that has victimized over 270 organizations since its emergence in September 2024, with 73 victims claimed in May 2025 alone. Unlike most modern ransomware operations, SafePay does not operate as Ransomware-as-a-Service (RaaS), maintaining centralized control over all operations without affiliates.
Why This Matters for Defenders: SafePay's non-RaaS model results in highly consistent TTPs across all attacks, making detection signatures more reliable than typical ransomware hunts. The group's heavy reliance on Living-off-the-Land Binaries (LOLBins) creates multiple detection opportunities at each stage of the attack chain.
Key Characteristics
Threat Actor Intelligence
Attribution
Eastern Europe (CIS Exclusion)
First Observed
September 2024
Motivation
Financial (Criminal)
Skill Level
High / Advanced
Operating Model
Non-RaaS (Centralized)
Code Lineage
LockBit 3.0 (leaked source)
Geographic Focus: Primary targets include United States, Germany (20% of victims), United Kingdom, Canada, and Mexico. The disproportionate focus on German organizations is unusual and may indicate specific operational interest or language capabilities.
SafePay's attack chain is characterized by speed and efficiency. The group consistently moves from initial access to full network encryption in under 24 hours.
Phase 1: Initial Access
- VPN credential theft (no MFA) or RDP exploitation
- Fortinet firewall misconfiguration abuse
- Social engineering via Microsoft Teams (impersonating IT)
Phase 2: Discovery & Defense Evasion
- ShareFinder.ps1 / Invoke-ShareFinder for network share enumeration
- Windows Defender disabled via LOLBins and registry manipulation
- CMSTPLUA UAC bypass for privilege escalation
Phase 3: Lateral Movement
- PsExec for remote execution across network
- WinRM / PowerShell remoting
- RDP for interactive access to critical systems
- ScreenConnect / RMM tool installation for persistence
Phase 4: Data Exfiltration
- WinRAR / 7-Zip for data compression with exclusions
- FileZilla FTP transfers to external servers
- Rclone for cloud storage exfiltration
- RDP clipboard for smaller data theft
Phase 5: Impact
- Shadow copy deletion (vssadmin, wmic)
- 33+ processes and 13+ services terminated
- Regsvr32.exe executes locker.dll with 32-byte key
- ChaCha20 encryption, .safepay extension, readme_safepay.txt dropped
SafePay leverages a comprehensive set of techniques across the attack lifecycle. Their non-RaaS model results in highly consistent TTPs.
The complete threat hunting guide includes 10 detailed hunt modules covering the full SafePay attack chain:
Full hunt module details with Splunk, KQL, and PowerShell queries available in the complete guide.
SafePay's heavy reliance on LOLBins provides multiple detection opportunities throughout the attack chain:
Regsvr32 + Long Arguments
Process creation: regsvr32.exe with command line >60 chars containing .dll - indicates ransomware deployment
ShareFinder.ps1
PowerShell script block logging containing 'Invoke-ShareFinder' or 'Find-DomainShare'
Defender Tampering
Registry modifications to HKLM\SOFTWARE\Microsoft\Windows Defender\* or Set-MpPreference cmdlets
Shadow Copy Deletion
Process creation: vssadmin delete shadows OR wmic shadowcopy delete
CMSTPLUA UAC Bypass
Registry modification in HKCU\...\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
.safepay Extension
High volume file rename operations with .safepay extension indicates active encryption
MSP Supply Chain Risk
SafePay has been linked to the Ingram Micro breach affecting thousands of MSP partners. If your organization uses MSP services, investigate any RMM tool sessions or administrative access from MSP infrastructure.
File Indicators
| Type | Value | Context |
|---|---|---|
| SHA256 | a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526 |
SafePay binary |
| SHA256 | 327b8b61eb446cc4f710771e44484f62b804ae3d262b57a56575053e2df67917 |
SafePay binary |
| SHA256 | fd509df74a8d6a9e96762337efd46280ebf8d154c6c5dfbac7b3e8f7bb61f191 |
SafePay binary |
| SHA256 | 625abbf876f256662f33a88c122bf787edf74b882c35adbd61562b5bd1b2ac27 |
SafePay binary |
Network Indicators
| Type | Value | Context |
|---|---|---|
| IPv4 | 45.91.201.247 |
C2 server |
| IPv4 | 77.37.49.40 |
C2 server |
| IPv4 | 80.78.28.63 |
C2 server |
| Onion | nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion |
Victim portal |
VanessaCooke94@protonmail.com |
Contact in ransom notes |
File System Indicators
| Indicator | Value |
|---|---|
| Encrypted file extension | .safepay |
| Ransom note filename | readme_safepay.txt |
| Common DLL location | C:\locker.dll |
| Registry autorun value | 6F22-C16F-0C71-688A |
Download Complete Threat Hunting Guide
Get the full SafePay guide with 10 hunt modules, detection queries (Splunk, KQL, PowerShell), complete IOC list, and Sigma/YARA rules.
Download PDF — FreeTrack SafePay with BRACE
BRACE delivers monthly sector-specific threat intelligence covering SafePay activity, including:
- SafePay campaign analysis and victim tracking
- Detection rules for LOLBins abuse and lateral movement
- MITRE ATT&CK mappings for ransomware TTPs
- Sector-specific threat hunting playbooks
Stay Ahead of SafePay Ransomware
BRACE delivers monthly threat intelligence on SafePay and 175+ other threat groups with detection rules and hunting playbooks for your sector.