safepay
Ransomware group profile
242Victims
RussiaSource country
81Impact score
Description
SafePay is a financially motivated ransomware group that emerged in September 2024, known for its rapid encryption of victim systems within 24 hours. Unlike RaaS models, it operates as a centralized entity, executing its campaigns directly with a focus on monetary gain rather than political motives. The group's tactics involve aggressive victim engagement and strong extortion strategies, including a double extortion model.
Key insights
- •Gains initial access through exploitation of vulnerabilities in VPNs and RDP endpoints, stolen credentials, and social engineering.
- •Utilizes a custom ransomware strain that encrypts files with a '.safepay' extension and includes ransom notes.
- •Employs double extortion tactics by threatening to publish stolen data if ransoms are not paid.
- •Often engages in aggressive victim communication, including direct phone calls to coerce payment.
- •Exploits vulnerabilities like CVE-2024-21762 for unauthorized code execution.
- •Targets sectors such as healthcare, construction, and information services with over 450 documented victims by 2026.
Threat Level & Status Breakdown
For safepay · Based on incidents in selected period
4.2threat level
Aggressiveness10/ 10
Lethality0/ 10
Criticality2.4/ 10
Status Breakdown
Claimed100.0%242
First seenJun 2025
Last seenJun 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 2, 2026
Recent activity
Monthly attack count for safepay in the selected period
242Total attacks
59peak in Dec
18.6avg / month
↓ 25 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for safepay
- 254295e7d4273570bcbe84ee1fd7381e22fc0706
- 1c65d2a20ccf6c6eccdec1cb4a97935c
- 7ba3b719d9215945fa02c9db891446c5
- a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526
- b41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d
- b1022afe74471f945b18efed4366598bc6abb192
- 02f2f15cbcda53414b11d3ac67023b03b9b5bb14
- a912233df115e5002f95d55ba0481e6bff798ed3
- 0b64ee06e7b34f8d44ec47ff2fbf9f10f6753103
- 4cf09f8fd5385c4b8414fb6163d831164f1f25c8
- 66c1246e8cb9befca5d129c28de10c74d3855e68
- d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
- 4582eab01849c98034677ac425f93a185258dbfa
- fcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e
- e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
- 12139246b8c5232d6d074df37acddc20f0bc233e42ed8eb00dfe2af5d3de3275
- b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb
- eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
- 6ee4a4631b61537f877e880c61536852b09b1c3f
- a6dcdfc8e97616c07549290950e78b145883e532
- 327b8b61eb446cc4f710771e44484f62b804ae3d262b57a56575053e2df67917
- f95f19fd7d71f58a67bd88fe384cf2d36cc5cd45
- eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for safepay
CVE-2024-55591
CVE-2024-21762
Collection
T1560.001
Archive via Utility
Credential Access
T1003
OS Credential Dumping
Defense Evasion
T1089
Disabling Security Tools
T1202
Indirect Command Execution
Discovery
T1135
Network Share Discovery
Execution
T1059
Command and Scripting Interpreter
Impact
T1486
Data Encrypted for Impact
Persistence
T1071_1
Application Layer Protocol
Privilege Escalation
T1548.002_1
Bypass User Account Control
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| iql-nog.com | iql-nog.com | ES Spain | Manufacturing | Claimed | 1 day ago | |
| tavolaspa.com | tavolaspa.com | IT Italy | Hospitality | Claimed | 2 days ago | |
| parsa-beauty.de | parsa-beauty.de | DE Germany | Retail & E-Commerce | Claimed | 2 days ago | |
| soraris.it | soraris.it | IT Italy | Technology | Claimed | 2 days ago | |
| lcnet.eu | lcnet.eu | DE Germany | Technology | Claimed | 2 days ago | |
| verzolla.com | verzolla.com | IT Italy | Manufacturing | Claimed | 2 days ago | |
| compactmould.com | compactmould.com | CA Canada | Manufacturing | Claimed | 2 days ago | |
| eitecpro.co.jp | eitecpro.co.jp | JP Japan | Technology | Claimed | 9 days ago | |
| tme-rusta.de | tme-rusta.de | DE Germany | Professional Services | Claimed | 9 days ago | |
| cyuou.com | cyuou.com | JP Japan | Technology | Claimed | 9 days ago | |
| vdmtrucking.com | vdmtrucking.com | CA Canada | Transportation | Claimed | 9 days ago | |
| olipes.com | olipes.com | ES Spain | Manufacturing | Claimed | 15 days ago | |
| harrisoncountywv.com | harrisoncountywv.com | US United States | Government & Defense | Claimed | 16 days ago | |
| printroom.co.uk | printroom.co.uk | GB United Kingdom | Professional Services | Claimed | 16 days ago | |
| hautarzt-budihardja.de | hautarzt-budihardja.de | DE Germany | Healthcare | Claimed | 16 days ago | |
| mediafrance.de | mediafrance.de | DE Germany | Retail & E-Commerce | Claimed | 16 days ago | |
| ashleytimber.co.uk | ashleytimber.co.uk | GB United Kingdom | Other | Claimed | 16 days ago | |
| adlan.com | adlan.com | CA Canada | Technology | Claimed | 16 days ago | |
| Berlinmobil.de | berlinmobil.de | DE Germany | Transportation | Claimed | 16 days ago | |
| smp.cat | smp.cat | ES Spain | Healthcare | Claimed | 28 days ago |
Page 1 of 10
Affected countries(56)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab EmiratesAnguilla🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇧Barbados🇧🇪BelgiumBermuda🇧🇷Brazil🇨🇦Canada🇨🇭Switzerland🇨🇳China🇨🇴ColombiaCuraçao🇨🇾Cyprus🇨🇿Czech Republic🇩🇪Germany🇩🇰Denmark🇩🇴Dominican Republic🇪🇸Spain🇫🇮Finland🇫🇷France🇬🇧United Kingdom🇬🇷Greece🇬🇹Guatemala🇭🇰Hong Kong🇭🇷Croatia🇮🇪Ireland🇮🇱Israel🇮🇳India🇮🇹Italy🇯🇲Jamaica🇯🇵Japan🇰🇭Cambodia🇲🇦Morocco🇲🇽Mexico🇲🇾Malaysia🇳🇱Netherlands🇳🇿New Zealand🇵🇦Panama🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇱PolandPuerto Rico🇵🇹Portugal🇵🇾Paraguay🇷🇴RomaniaRussian Federation🇸🇪Sweden🇸🇬Singapore🇸🇰Slovakia🇸🇻El Salvador🇹🇷TurkeyTaiwan, Province of China🇺🇸United States