SafePay ransomware rapidly emerged in early 2025 as a highly active and dangerous threat, targeting over 200 victims worldwide, including managed service providers and SMBs. It employs sophisticated techniques such as disabling endpoint protections, exfiltrating data via network shares, and encrypting files using a combination of AES and RSA, with many similarities to the LockBit ransomware family. #SafePay #LockBit #IngramMicro
Keypoints
- SafePay ransomware appeared in 2024 and has since attacked more than 200 victims globally, focusing on MSPs and SMBs.
- The group operates with centralized control rather than the typical ransomware-as-a-service affiliate model.
- SafePay shares multiple technical similarities with the LockBit ransomware family, including encrypted strings, use of XOR decryption loops, and certain system language checks.
- Delivery is primarily via RDP intrusion, with credential theft allowing attackers to disable Windows Defender and upload malicious files.
- Attackers use the PowerShell ‘ShareFinder.ps1’ script to locate network shares and WinRAR plus FileZilla to archive and exfiltrate data to command and control servers.
- SafePay disables security services and terminates numerous processes and services associated with databases, email clients, and backup software before encrypting files.
- The ransomware uses AES for file encryption with an RSA-encrypted key and appends the .safepay extension to encrypted files, demanding a password argument for execution.
MITRE Techniques
- [T1078] Valid Accounts – SafePay uses RDP- and VPN-based intrusion to gain initial access. (‘SafePay ransomware was delivered to the victims using RDP connections.’)
- [T1059] Command and Scripting Interpreter – Execution of PowerShell script ‘ShareFinder.ps1’ to find network shares. (‘…executed ‘ShareFinder.ps1’ script, which finds all available network shares…’)
- [T1105] Ingress Tool Transfer – Use of WinRAR and FileZilla to archive and exfiltrate files to C2 servers. (‘WinRAR.exe … after archiving files, a FileZilla client was deployed to exfiltrate files to the C2 server.’)
- [T1562] Impair Defenses – Disabling Windows Defender and terminating security-related services using ControlService API. (‘…disable Windows Defender and uploaded files…’; ‘terminates services using the ‘ControlService’ function…’)
- [T1486] Data Encrypted for Impact – Encrypting victim files using AES keys wrapped with RSA and renaming with .safepay extension. (‘…AES key will be encrypted using the RSA algorithm… finally renames the file, appending the ‘.safepay’ extension to it.’)
- [T1543] Create or Modify System Process – Creates registry keys under ‘SoftwareMicrosoftWindowsCurrentVersionRun’ for persistence. (‘…creates a new key with a command that was used to execute the sample…’)
- [T1134] Access Token Manipulation – Attempts to obtain ‘SeDebugPrivilege’ to manipulate processes. (‘Next, the sample tries to obtain ‘SeDebugPrivilege’…’)
Indicators of Compromise
- [File Hash] SafePay ransomware sample – SHA256: a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526
- [URL] Command and control – http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion
- [Email] Threat actor contact – [email protected]
Read more: https://www.acronis.com/en-us/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/