Inside SafePay: Analyzing the New Centralized Ransomware Group

SafePay emerged in late 2024 as a centralized, closed ransomware group that escalated rapidly into a global threat, using double-extortion by stealing financial and intellectual property data and pressuring victims via a Tor data leak site. Its modular Windows PE32 DLL employs compromised credentials, backdoors (e.g., QDoor), PowerShell discovery scripts, LOLBins (PsExec, regsvr32/rundll32), archiving and exfiltration tools (WinRAR, FileZilla, Rclone), defense evasion (killing AV/backup services, deleting Volume Shadow Copies, modifying boot settings), and a Cyrillic-language kill switch. #SafePay #QDoor

Keypoints

SafePay is a centralized, closed ransomware group (not RaaS) that tightly controls infrastructure, negotiations, and profits to reduce OPSEC risks and leaks.
The group uses double extortion: exfiltrating sensitive data (financial records, IP) before encrypting systems and publishing non-paying victims on a Tor leak site.
Attacks are rapid, often moving from initial access to encryption within 24 hours, using a modular Windows PE32 DLL payload.
Initial access is commonly via compromised credentials purchased or brute-forced to access VPN gateways, RDP servers, or misconfigured FortiGate devices lacking MFA.
Lateral movement and discovery leverage PowerShell (ShareFinder.ps1), LOLBins and admin tools such as PsExec and WinRM to enumerate assets and deploy payloads.
Defense evasion includes terminating AV/database/backup processes and services, deleting Volume Shadow Copies, modifying boot recovery settings, and UAC bypass via CMSTPLUA.
Data is archived (WinRAR) and exfiltrated (FileZilla, Rclone, 7-Zip), encryption uses AES or ChaCha20 with per-file symmetric keys protected by RSA or x25519, and encrypted files are given a .safepay extension.

MITRE Techniques

[T1078 ] Valid Accounts – Compromised or purchased credentials used to access VPN gateways and RDP servers (‘compromised credentials… used to exploit valid accounts on VPN gateways, Remote Desktop Protocol (RDP) servers, and other edge devices’).
[T1110 ] Brute Force – Credentials also obtained via brute-force attacks (‘obtained via brute-force attacks’).
[T1133 ] External Remote Services – Abuse of remote access services and gateways for initial access (‘used to exploit valid accounts on VPN gateways, Remote Desktop Protocol (RDP) servers, and other edge devices’).
[T1021 ] Remote Services – Lateral movement using PsExec and WinRM to execute commands on remote hosts (‘leverages PsExec and WinRM to execute commands on remote systems’).
[T1059.001 ] PowerShell – Discovery via PowerShell scripts such as ShareFinder.ps1/Invoke-ShareFinder for network and share enumeration (‘an observed tool is ShareFinder.ps1 (specifically the Invoke-ShareFinder command)’).
[T1218 ] Signed Binary Proxy Execution – DLL payloads executed through signed Windows binaries like regsvr32.exe and rundll32.exe to run malicious code (‘The ransomware payload is often a DLL executed via regsvr32.exe or rundll32.exe’).
[T1548.002 ] Abuse Elevation Control Mechanism: CMSTPLUA – UAC bypass using the CMSTPLUA COM interface to elevate privileges (‘may attempt to bypass User Account Control (UAC) using the CMSTPLUA COM interface to elevate privileges’).
[T1562.001 ] Disable or Modify Tools (Impair Defenses) – Terminating processes and services related to antivirus, databases, and backup solutions to neutralize defenses (‘terminating processes associated with antivirus software, databases, and backup solutions’).
[T1490 ] Inhibit System Recovery – Deleting Volume Shadow Copies and modifying boot configuration to prevent system recovery (‘vssadmin delete shadows /all /quiet … bcdedit /set {default} recoveryenabled no’).
[T1560 ] Archive Collected Data – Archiving targeted file types with WinRAR using exclusion arguments prior to exfiltration (‘Data is archived using WinRAR … WinRAR.exe a -v5g -ed -r …’).
[T1567.002 ] Exfiltration to Cloud Storage (and external services) – Use of tools such as FileZilla, Rclone, and 7-Zip to stage and transfer stolen data (‘Tools such as FileZilla, Rclone, and 7-Zip have been observed during this phase’).
[T1486 ] Data Encrypted for Impact – Encrypting files using AES or ChaCha20 with per-file symmetric keys and appending encrypted key metadata, then renaming files with a .safepay extension (‘Files are encrypted using the AES or ChaCha20 algorithm … Encrypted files receive the .safepay extension’).

Indicators of Compromise

[File/Script Names ] discovery and execution artifacts – ShareFinder.ps1 (Invoke-ShareFinder) used for share discovery; C:[redacted].rar referenced as an archive target.
[File Extensions ] encrypted file marker – .safepay used to mark encrypted files.
[Executables/LOLBins ] execution and lateral movement tools – PsExec.exe and regsvr32.exe / rundll32.exe used to run payloads or DLLs remotely and locally.
[Tools/Utilities ] archiving and exfiltration utilities observed – WinRAR.exe (archiving with complex excludes), FileZilla, and Rclone (data transfer).
[Process/Service Names ] targets for termination to evade defenses – example processes: sql, oracle; example services: vss, Sophos, Veeam (and other AV/backup services).
[Command-Line Arguments ] malware runtime controls – flags such as -pass= (32-byte password), -enc=, -network, and -selfdelete used to configure payload behavior.