Intruvent Technologies
Contact us
Threat Intelligence / Threat Hunting Guides / SafePay Ransomware
Critical Ransomware Deep Dive

SafePay Ransomware

Threat Hunting Guide

LOLBins-Heavy Double Extortion Ransomware with Rapid 24-Hour Attack Cycle

📅
September 2024
Active Since
🎯
270+ Organizations
Victim Count
⏱️
24 Hours
Attack Cycle
🔍
4-6 Hours
Hunt Duration

Download the Complete Hunting Guide

Includes all 10 hunt modules, MITRE ATT&CK mappings, IOCs, and response procedures

Download PDF
1

Executive Summary

Critical Timing Window

  • SafePay consistently achieves full network encryption within 24 hours of initial access
  • 270+ victims since September 2024, with 73 claimed in May 2025 alone
  • Non-RaaS model results in consistent TTPs across all attacks (more detectable)
  • Heavy LOLBins usage creates multiple detection opportunities at each stage

SafePay is a rapidly emerging ransomware threat that has victimized over 270 organizations since its emergence in September 2024. Unlike most modern ransomware operations, SafePay does not operate as Ransomware-as-a-Service (RaaS), maintaining centralized control over all operations without affiliates.

Why This Matters for Defenders: SafePay's non-RaaS model results in highly consistent TTPs across all attacks, making detection signatures more reliable than typical ransomware hunts. The group's heavy reliance on Living-off-the-Land Binaries (LOLBins) creates multiple detection opportunities at each stage of the attack chain.

Security researchers assess that SafePay operators likely have connections to disbanded threat actor groups including LockBit, ALPHV (BlackCat), and INC Ransomware. The ransomware binary shares significant code with LockBit 3.0 (LockBit Black), built from the leaked source code from late 2022.

2

Hunt Modules

1

VPN/RDP Compromise Detection

30 min Critical Priority
2

ShareFinder.ps1 Reconnaissance

20 min Critical Priority
3

Windows Defender Tampering

20 min Critical Priority
4

UAC Bypass via CMSTPLUA

15 min High Priority
5

Lateral Movement (PsExec/WinRM)

30 min High Priority
6

Regsvr32 DLL Execution

15 min Critical Priority
7

Data Staging and Exfiltration

30 min High Priority
8

Shadow Copy Deletion

15 min Critical Priority
9

Process/Service Termination

15 min High Priority
10

Encryption Activity Detection

20 min Critical Priority
3

Detection Rules

ShareFinder.ps1 Network Reconnaissance

Detects PowerShell-based network share enumeration commonly used by SafePay

T1135 
index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104
| search ScriptBlockText="*ShareFinder*" OR ScriptBlockText="*Invoke-ShareFinder*" OR ScriptBlockText="*Get-DomainShare*"
| table _time, ComputerName, ScriptBlockText
| head 100

Windows Defender Tampering

Detects attempts to disable Windows Defender via PowerShell or registry

T1562.001 
index=windows sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
| search CommandLine="*Set-MpPreference*" OR CommandLine="*DisableRealtimeMonitoring*" OR CommandLine="*DisableAntiSpyware*"
| table _time, ComputerName, User, CommandLine

Regsvr32 DLL Execution with Arguments

Detects regsvr32.exe executing DLLs with command-line arguments (SafePay locker pattern)

T1218.010 
index=windows sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
| search process_name="regsvr32.exe" CommandLine="*.dll*"
| where match(CommandLine, "regsvr32.*\.dll\s+\S+")
| table _time, ComputerName, User, CommandLine, ParentCommandLine

ShareFinder.ps1 Network Reconnaissance

Detects PowerShell-based network share enumeration commonly used by SafePay

T1135 
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("ShareFinder", "Invoke-ShareFinder", "Get-DomainShare", "Get-NetShare")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

Windows Defender Tampering

Detects attempts to disable Windows Defender via PowerShell or registry

T1562.001 
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has_any (
    "Set-MpPreference",
    "DisableRealtimeMonitoring",
    "DisableAntiSpyware",
    "Add-MpPreference -ExclusionPath"
)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

Regsvr32 DLL Execution with Arguments

Detects regsvr32.exe executing DLLs with command-line arguments (SafePay locker pattern)

T1218.010 
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName =~ "regsvr32.exe"
| where ProcessCommandLine matches regex @"\.dll\s+\S+"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine

ShareFinder.ps1 Network Reconnaissance

Detects PowerShell-based network share enumeration commonly used by SafePay

T1135 
title: SafePay - ShareFinder Network Reconnaissance
id: safepay-sharefinder-001
status: experimental
description: Detects ShareFinder.ps1 execution for network share discovery
author: Intruvent Technologies
logsource:
    product: windows
    category: ps_script
detection:
    selection:
        ScriptBlockText|contains:
            - ShareFinder
            - Invoke-ShareFinder
            - Get-DomainShare
            - Get-NetShare
    condition: selection
level: high
tags:
    - attack.discovery
    - attack.t1135

Windows Defender Tampering

Detects attempts to disable Windows Defender via PowerShell or registry

T1562.001 
title: SafePay - Windows Defender Tampering
id: safepay-defender-001
status: experimental
description: Detects Windows Defender manipulation via PowerShell
author: Intruvent Technologies
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - Set-MpPreference
            - DisableRealtimeMonitoring
            - DisableAntiSpyware
            - Add-MpPreference -ExclusionPath
    condition: selection
level: critical
tags:
    - attack.defense_evasion
    - attack.t1562.001

Regsvr32 DLL Execution with Arguments

Detects regsvr32.exe executing DLLs with command-line arguments (SafePay locker pattern)

T1218.010 
title: SafePay - Regsvr32 DLL Execution with Arguments
id: safepay-regsvr32-001
status: experimental
description: Detects regsvr32 executing DLL with arguments (ransomware pattern)
author: Intruvent Technologies
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
        CommandLine|re: '\.dll\s+\S+'
    condition: selection
level: critical
tags:
    - attack.defense_evasion
    - attack.t1218.010

Need More Detection Rules?

The full guide includes 25+ additional detection signatures covering all attack phases.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning based on your specific environment and baseline activity.

4

Key Indicators

File Artifacts

Indicator Type Context
readme_safepay.txt Ransom Note Dropped in encrypted directories
.safepay File Extension Applied to encrypted files
locker.dll Ransomware Binary Executed via regsvr32.exe
ShareFinder.ps1 Discovery Tool Network share enumeration

Tools Used

Tool Purpose
ShareFinder.ps1 Network share discovery
PsExec Lateral movement and remote execution
WinRAR / 7-Zip Data staging for exfiltration
FileZilla / Rclone Data exfiltration
ScreenConnect Persistent remote access

Key MITRE ATT&CK Techniques

Technique ID Name SafePay Usage
T1218.010 Regsvr32 Ransomware DLL execution
T1548.002 Bypass UAC CMSTPLUA privilege escalation
T1562.001 Disable Security Windows Defender tampering
T1490 Inhibit Recovery Shadow copy deletion
Back to Threat Hunting Guides

Track SafePay with BRACE

BRACE delivers monthly sector-specific threat intelligence covering ransomware groups like SafePay with detection rules and hunting playbooks.

Learn About BRACE