SafePay
SafePay is a ransomware and extortion group first observed in October 2024, with some reporting describing its launch in November 2024. The actors behind at least one investigated sample identified themselves as the “Safepay team.” Across the provided reporting, SafePay is described as one of the more active ransomware groups in 2025 and Q1 2026, with more than 450 victims claimed and one dataset attributing 475 victims to the group. SafePay has been cited among the most active groups in Q3 2025 and among the leading groups in Q1 2026. KELA reporting in the provided content says SafePay was one of five groups responsible for nearly 25% of incidents in its 2025 dataset. Google reporting cited in the content also lists Safepay among the most prominent and active ransomware brands in 2025. The group operates a Tor/dark web leak site and uses data leak extortion tactics, including listing victims, threatening publication of stolen data, and in some cases publishing data after apparent failed negotiations. SafePay claimed the July 2025 attack on Ingram Micro, listed the company on its Tor leak site, alleged theft of 3.5 TB of sensitive data, and later published the data. It also listed Conduent in February 2025 and threatened to publish 8.5 TB of allegedly stolen data. Reporting in the content states SafePay says on its leak site that it is not a ransomware-as-a-service operation and that it has never provided RaaS. Victims and claimed victims mentioned in the content include Ingram Micro, Conduent, Genealogy SA, Favelle Favco, Smile Team Orthodontics, Children’s Council of San Francisco, and US Mortgage Corporation. SafePay has also been linked in the provided reporting to eight government-related attacks in the first half of 2025, three of which were confirmed. The group has targeted organizations in Australia, the United Kingdom, the United States, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina. Reporting in the content also highlights Germany, including the Mittelstand and professional services sector, as an area being targeted during the group’s global expansion. No additional aliases or sub-groups are directly supported by the provided content beyond the name SafePay / Safepay.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware operation launched in late 2024 that quickly accumulated a substantial number of victims.
Ransomware operation launched in late 2024 that rapidly grew its victim count.
Ransomware/extortion activity targeting Conduent, with victim listing on a dark web leak site and threats to publish stolen data.
A ransomware group that claimed responsibility for the Conduent intrusion by listing the company on its dark web leak site and threatening to publish stolen data.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.