SafePay Ransomware Claiming Attacks Over 73 Victim Organizations in a Single Month

Cybersecurity

In 2025, SafePay ransomware emerged as a significant cybersecurity threat, claiming attacks on 73 organizations in June and an additional 42 in July. This activity highlights SafePay as a prominent threat actor, necessitating proactive defenses by security teams globally.

Unlike traditional ransomware-as-a-service (RaaS) models, SafePay operates as a closed, independent group with strict operational security. The group has claimed over 270 victims in 2025 alone, primarily targeting mid-size and enterprise organizations across the United States, Germany, Great Britain, and Canada. Sectors affected include manufacturing, healthcare, and construction.

SafePay’s operations began in September 2024 following law enforcement actions against other ransomware groups. Analysts have noted similarities between SafePay and LockBit, though they employ different encryption and operational methods.

SafePay is capable of executing complete attack chains within 24 hours, from initial access to encryption. Target organizations typically have revenues around $5 million, though some victims report revenues exceeding $100 million, with one surpassing $40 billion.

Encryption and Evasion Mechanisms

SafePay utilizes the ChaCha20 encryption algorithm with unique symmetric keys for each file, embedding additional keys within the ransomware executable. This dual-key system complicates decryption efforts.

The ransomware evades defenses by avoiding debugger detection and terminating processes associated with anti-malware functions. It removes volume shadow copies to prevent recovery and encrypts files with the .safepay extension, leaving ransom notes titled “readme_safepay.txt.”

SafePay includes geographic targeting logic, detecting Cyrillic keyboards to avoid execution on such systems, potentially indicating a Russian connection within its operations.