— SafePay

Threat-actor battle card · maintained from public sources · last updated 2026-06-23

CategoryRansomware

AttributionUnknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs)

First seen2024-09

StatusActive

Rank#10

Recent victims · last ~9d6

All-time victims503

Primary targetsFinance, Healthcare, Manufacturing, Technology, Government; US-heavy, Germany, UK, Australia, Canada

Overview

SafePay emerged in September 2024 as a centrally operated, non-RaaS ransomware group. Unlike most extortion operations, it develops its own encryptor, manages its own infrastructure, and conducts negotiations directly — no affiliates. It claimed 300+ victims by mid-2025, 400+ by early 2026, and debuted in the global monthly top-7 in May 2026 with 25 claimed victims. The US is its primary target, followed by Germany, UK, Australia, and Canada. A CIS-country exclusion kill-switch (Cyrillic language check halts execution) suggests Eastern European origin.

Tradecraft

• Initial access: primarily through vulnerable edge devices — VPN gateways, firewalls, Remote Desktop Gateway servers.
• Reconnaissance: ShareFinder.ps1 (PowerTools) enumerates network, SMB shares, and accessible assets immediately post-access.
• Lateral movement: living-off-the-land binaries (PSExec, WinRM, RDP) and legitimate RMM software.
• Evasion: disables security services, eliminates backup software, halts Volume Shadow Copy; token impersonation for privilege escalation where needed.
• Exfiltration: WinRAR, 7-Zip, Rclone, FileZilla, RDP clipboard.
• Encryption: ChaCha20 or AES depending on target hardware; per-file keys wrapped in asymmetric cryptography.
• Extortion: double-extortion (decryption key + DLS publication); employs Conti-lineage TTPs including spam phishing with custom loaders and ESXi/Citrix appliance targeting.

Notable victims

• Energy Action (energy management/Australia) — ~470GB claimed, under investigation — seen June 2026

Assessment

SafePay's in-house model eliminates the affiliate interdiction playbook; there is no affiliate network to penetrate or flip. Its Conti-lineage TTPs, rapid climb from zero to global top-10 in 18 months, and edge-device initial-access focus make it a high-severity risk for any organization running internet-exposed VPN or firewall infrastructure. Healthcare and finance sub-sectors should treat any unpatched edge device as a potential SafePay entry point.

Sources

• ThreatLocker — SafePay ransomware explained: IOCs, TTPs, and defense strategies
• Bitdefender — SafePay Ransomware: How a Non-RaaS Group Executes Rapid Fire Attacks
• Blackpoint Cyber — SafePay Ransomware Threat Profile
• Infosecurity Magazine — Unmasking the SafePay Ransomware Group
• SOCPrime — SafePay Ransomware: Centralized Double-Extortion Group
• SureFire Cyber — Threat Actor Profile: SafePay Ransomware Group

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 22 ehg.bayern SafePay Ransomware · unknown · Germany 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 17 seinordovest.it SafePay Ransomware · unknown · Italy 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 8d ago · Sources: ransomware.live DLS

Jun 17 harcourts.net SafePay Ransomware · unknown · Australia 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 8d ago · Sources: ransomware.live DLS

Jun 17 zaunsysteme.de SafePay Ransomware · unknown · Germany 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 8d ago · Sources: ransomware.live DLS

Jun 17 brscappuccio.it SafePay Ransomware · unknown · Italy 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 8d ago · Sources: ransomware.live DLS

Jun 17 gut-heckenhof.de SafePay Ransomware · unknown · Germany 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 8d ago · Sources: ransomware.live DLS

Jun 15 hughstirling.co.uk SafePay Ransomware · unknown · United Kingdom 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 10d ago · Sources: ransomware.live DLS

Jun 15 tokyocivil.co.jp SafePay Ransomware · unknown · Japan 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 10d ago · Sources: ransomware.live DLS

Jun 01 Energy Action SafePay Ransomware · energy management · Australia 🟥 Claimed (leak-site) · — Unknown; suspected Eastern European (CIS-exclusion kill-switch; Conti-lineage TTPs) · #10 active · 503 total · disclosed 24d ago · ~470GB claimed; under investigation · Sources: SafePay DLS

---

← All threat actors · Full victim database →