Table of Contents
The SafePay ransomware group emerged in October 2024 and has been one of the most active cybercriminal collectives since.
SafePay has claimed 248 victims to date, according to two ransomware-tracking websites, Ransomware.live and RansomFeed.
The group made headlines in early July when it was linked to the ransomware attack against Ingram Micro, one of the world’s largest IT distributors. Although the targeted company did not mention the group in its public disclosure of the hack, an alleged ransom note seen by Infosecurity tied the attack to SafePay.
In May 2025, the group recorded the most monthly ransomware victim claims according to research by NCC Group.
One of SafePay’s first claimed high-profile attacks was against UK telematics business Microlise in October 2024, with the group allegedly stealing 1.2 terabytes of data and demanding payment within less than 24 hours.
Conti-Inspired Tactics Identified in SafePay Ransomware
The group may be new to the ransomware ecosystem but some of its techniques bear the hallmarks of long-established hackers.
Yelisey Boguslavskiy, co-founder of threat intelligence firm Red Sense, investigated the SafePay ransomware group for a TLP:RED report, which was shared with a limited number of people.
On LinkedIn, he described the group as one of the post-Conti ransomware groups, noting that its operators employ typical Conti techniques, tactics and procedures (TTPs) and may include former members of the defunct Conti gang.
Speaking to Infosecurity, Boguslavskiy said SafePay uses “standard Conti TTPs,” such as spam phishing with custom loaders, targeting ESXi platforms and the intent to abuse unpatched VMware or Citrix appliances.
“Their approach to social engineering [is] also very Conti-standard, with a big reliance on phone calls and spam. The victim receives a ton of spam, and at the same time, when they are panicking and raising concerns, a call comes from ‘the company’s IT department’ via Microsoft Teams,” Boguslavskiy said.
The attackers, posing as independent third-party IT vendors, request that the victim allow them to review their system using legitimate tools, such as Microsoft Quick Assist for remote control.
“Then, they drop a PowerShell script and often live on the network for up to a week to investigate and another week to slowly move towards exfiltration,” he continued.
Instead of moving data directly, they typically use Rclone, a legitimate command-line program to manage files on cloud storage.
“When this is done, they will deploy the locker, [which] is custom-built and brand new, not a Conti or LockBit derivative.”
Additionally, another typical SafePay attack chain starts with the use of cyber search tools like Shodan and open-source intelligence (OSINT) tools like Apollo to identify open endpoints, their logins, as well as employee names.
They will then try to brute force endpoints via dictionary attacks (i.e. password: johsmithcompanyname123).
According to threat intelligence company Halcyon, SafePay’s encrypted files carry the “.safepay” extension and ransom notes are titled “readme_safepay.txt.”
“SafePay consistently applies a double extortion model, encrypting systems while exfiltrating sensitive data to increase leverage through the threat of public exposure and sustained operational disruption,” Halcyon’s Anthony M. Freed wrote in a short report on SafePay.
“However, [the SafePay operators] care about data 100 more times than they do about encryption,” Boguslavskiy noted.
US and Germany, Top Targeted Countries
SafePay operators know the US business landscape very well, Boguslavskiy told Infosecurity.
This resonates with the victimology data reported by Ransomware.live, which noted that the US was the group’s most targeted country, with 96 claimed victims, followed by Germany (46 claimed victims) and the UK (12 claimed victims).
“Overall, the group has been targeting the private sector almost exclusively, especially in the financial, legal and insurance sectors – hence the name. Recently, though, the victimology has changed, with the group targeting the public domain, including healthcare and critical services. This may suggest a decline in the number of targets and potential issues within the group,” Boguslavskiy said in his LinkedIn post.
The group communicates with victims and leaks stolen data through the infrastructure on both Tor and The Open Network (TON).
According to Boguslavskiy, there have been speculations that the group employs individuals who are engaged in recovery services in legitimate recovery firms. Because the group is focused on data exfiltration over data encryption, the researcher believes the operators will likely “try to trick the victim by offering a free decryptor” in order to force them to pay quicker.
SafePay’s ransoms are typically calculated as 1-3% of the victim’s annual revenue and range from $500,000 to $1m.
However, Boguslavskiy noted that, in true Conti fashion, SafePay is “very risk-averse when it comes to sanctions” and may significantly reduce the price when victims inform them that they could face consequences for paying.
He mentioned ransoms have been known to drop to between $100,000 and $300,000.
The SafePay, INC Ransom and Lynx Triad
SafePay siphoned key talents from other groups and that its emergence in the fall of 2024 was “the primary reason for BlackBasta’s dissolution and the subsequent Basta leaks,” Boguslavskiy said in his blog post.
Additionally, the researcher made three notable assessments with moderate confidence about SafePay’s model and its place in the cybercrime ecosystem:
- The group likely does not operate a ransomware-as-a-service (RaaS) model with affiliates
- The group could be part of a triad alongside two other groups, INC Ransom and Lynx
- The group likely maintains loose links to other groups, such as Akira, BlackSuit Play and Qilin
The first assessment, the absence of a RaaS model, was confirmed in May 2025 by DCSO, a German cybersecurity company, in a report published on Medium in which the firm provided an in-depth analysis of the deployment of SafePay’s ransomware.
Regarding the alleged “triad”, Boguslavskiy explained that SafePay works very closely with INC Ransom, with some of the INC victims listed on the SafePay website.
However, while initially SafePay focused on finance, insurance and legal targets, leaving the rest to INC Ransom, a recent alteration in SafePay’s targeting might change the narrative.
“Safepay and INC are at least 30 core members, but there are many affiliates who work on the side with an INC locker, so the final number is larger,” he added.
The other connections with other ransomware groups are due to their “shared Conti heritage.”
Photo credit: JHVEPhoto / Shutterstock.com
