LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile

SafePay Ransomware: The Non-RaaS Group Claiming 400+ Victims with Conti-Derived TTPs

SafePay emerged in September 2024 as a closed, operator-run ransomware group that explicitly rejects the RaaS affiliate model. By early 2026 it had claimed over 400 victims across 40+ countries, with surge days reaching 29 new victim claims in 24 hours.

By Ransomware Tracker ·
SafePayransomwarenon-RaaSContiLockBitChaCha20ESXidouble-extortionSMBmanufacturing
Threat Level
8/10

Group Overview

SafePay is a ransomware operation that emerged in September 2024, distinguished from the dominant ransomware-as-a-service (RaaS) model by its explicit rejection of external affiliates. The group operates as a closed, centrally managed enterprise — all operations, from initial access to ransom negotiation, are conducted by the core team. This non-RaaS structure makes SafePay harder to infiltrate through affiliate-channel intelligence and creates a more consistent, operationally disciplined attack pattern than groups that outsource intrusions to variable-quality affiliates.

By early 2026, SafePay has claimed more than 400 victims across 40-plus countries, with the United States, Germany, Great Britain, and Canada representing the largest geographic concentrations. On its most active recorded day (March 30, 2025), the group claimed 29 new victims — an attack velocity that rivals much larger RaaS operations.

SafePay operates a leak site on the Tor network where non-paying victims’ data is published. The group has been observed contacting victims directly via phone calls in some cases, applying additional pressure beyond the standard leak threat.

Attribution and Origins

SafePay’s tooling and operational patterns show clear derivation from the Conti playbook. The use of Conti-style TTPs — including spam phishing with custom loaders, ESXi platform targeting, and data staging via WinRAR/FileZilla — is consistent with the broader post-Conti ecosystem that emerged after the group’s dissolution in May 2022. Like multiple post-Conti groups (Black Basta, Royal, Black Suit), SafePay appears to incorporate leaked Conti source code or methodology.

Some analysis has identified infrastructure and code similarities with LockBit 3.0 (LockBit Black), suggesting possible shared developers or code reuse from the LockBit builder that leaked publicly in September 2022.

Attribution confidence to a specific threat actor or nationality is low. SafePay has not been tied to a specific national infrastructure or attributed by government agencies at the time of writing.

Tactics, Techniques, and Procedures

Initial Access

SafePay primarily gains initial access through:

  • Phishing with custom loaders: Spam phishing campaigns delivering custom loader malware as the initial foothold
  • VPN and remote access exploitation: Targeting unpatched VPN appliances and RDP services with weak credentials
  • Valid credentials: Possible use of credentials obtained from initial access brokers or prior data breaches

The group has not been prominently associated with exploitation of specific CVEs in vendor advisories, suggesting an emphasis on credential-based and phishing-based access rather than zero-day exploitation.

Post-Compromise

After initial access, SafePay operators move quickly through a structured kill chain:

Reconnaissance and lateral movement: Network discovery using standard tooling (ADRecon, BloodHound-style AD enumeration). Lateral movement via pass-the-hash, RDP, and scheduled task abuse.

Persistence: Scheduled tasks, registry run keys, and deployment through legitimate software management tools.

Data exfiltration: Files are archived with WinRAR or 7-Zip. Exfiltration is performed via FileZilla, Rclone, or direct RDP clipboard transfer for smaller volumes. Data staging typically precedes encryption by 24-72 hours.

VMware ESXi targeting: Like most mature ransomware operators, SafePay deploys a dedicated ESXi encryptor to maximise impact on virtualised infrastructure — a single ESXi host typically hosts dozens of virtual machines, and encrypting it eliminates recovery options without offline backups.

Encryption: SafePay uses ChaCha20 or AES depending on target system hardware capabilities. The group supports intermittent encryption (encrypting only a portion of each file’s data) to accelerate the encryption phase while still rendering files unrecoverable.

Ransom note: SafePay does not leave ransom instructions on the network at encryption time. Communication instructions are withheld until the victim initiates contact via the leak site or direct email, a tactic that creates victim uncertainty and urgency.

MITRE ATT&CK Alignment

TacticTechnique
Initial AccessT1566 (Phishing), T1078 (Valid Accounts)
ExecutionT1053 (Scheduled Task), T1059 (Command and Scripting Interpreter)
PersistenceT1547 (Registry Run Keys), T1053 (Scheduled Task)
Credential AccessT1003 (OS Credential Dumping), T1552 (Unsecured Credentials)
DiscoveryT1069 (Permission Groups Discovery), T1087 (Account Discovery)
Lateral MovementT1550 (Pass the Hash), T1021 (Remote Services)
CollectionT1560 (Archive Collected Data), T1074 (Data Staged)
ExfiltrationT1048 (Exfiltration Over Alternative Protocol)
ImpactT1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)

Victim Profile

SafePay’s targeting is primarily opportunistic within a defined SMB sweet spot: organisations with 50-500 employees that have sufficient revenue to pay meaningful ransoms but insufficient security maturity to detect and respond to intrusions quickly.

Primary sectors: Technology (including MSPs), manufacturing, professional services (legal, accounting), healthcare, financial services, and education.

Geographic focus: English-speaking markets (US, UK, Canada, Australia) and Western Europe (Germany, France) dominate the victim list, consistent with targeting organisations with higher revenue and ransom-paying capacity.

Size profile: Overwhelmingly SMBs and lower-mid-market organisations. SafePay does not appear to target major enterprise or critical infrastructure — possibly reflecting risk management preferences within a closed operation that cannot absorb the law enforcement attention that high-profile attacks generate.

Ransom demands: Publicly available victim data suggests ransom demands in the range of $50K–$500K, calibrated to the victim’s apparent revenue, consistent with the SMB targeting profile.

Victim count growth: SafePay grew from a new operation in September 2024 to 400+ claimed victims within 18 months — a faster victim accumulation rate than most comparable groups at the same stage.

Surge activity: The group’s peak of 29 claimed victims in a single day suggests either a bulk-compromise campaign using automated tooling or a significant network intrusion affecting multiple related organisations.

Operational consistency: The non-RaaS, closed-team model appears to produce consistent TTP execution with minimal variation across incidents — a characteristic that makes the group’s behaviour more predictable from a detection standpoint.

Low public profile: SafePay has maintained a deliberately low public profile, avoiding the media and researcher attention that contributed to law enforcement focus on groups like LockBit and ALPHV/BlackCat. The lack of a branded affiliate programme and public recruitment means the group has not appeared on major dark web forums as a named service.

Defensive Recommendations

For SafePay’s typical target profile (SMBs with 50-500 employees):

  • VPN and RDP hardening: SafePay’s initial access reliance on remote access services means that MFA on VPN, RDP disabled where not required, and network-level authentication for RDP are high-priority controls.

  • Email security: The phishing-with-custom-loader initial access path is stopped by email security tooling (sandboxed attachment analysis) and user awareness training. Ensure that executable attachments and macro-enabled Office documents are blocked or sandboxed at the email gateway.

  • Backup isolation: Given SafePay’s ESXi targeting and backup deletion TTPs, immutable backups (offline or with WORM storage) that cannot be reached from the production network are the last-resort recovery control. Test recovery procedures quarterly.

  • Exfiltration detection: SafePay’s use of Rclone and FileZilla for exfiltration is detectable via process monitoring (alert on Rclone execution on servers) and DLP controls for large-volume outbound transfers.

  • Endpoint detection: SafePay’s use of Conti-derived tools means that modern EDR platforms have signatures for many of the group’s tools. Ensure endpoint coverage on servers (not just workstations), as server-side compromise is the primary path to domain-level impact.

Summary

SafePay is a mature, disciplined ransomware operation that punches above its name recognition weight. Its non-RaaS structure provides operational consistency that many larger affiliate-dependent groups lack. The 400+ victim count and sub-18-month trajectory place it firmly in the tier-2 ransomware group category — not at the scale of Qilin or LockBit, but consistently active and growing. SMB security teams should treat SafePay as a realistic threat, particularly for organisations in technology, manufacturing, and professional services with remote access exposure.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting