Know Your Adversary: SafePay
SafePay are a new, aggressive and prolific ransomware group. Whilst they are evolving quickly, all incidents observed by SafePay so far have followed a repeated playbook. Read our analysis of SafePay attacks, and how incident responders can investigate and remediate such incidents.
1) Summary
SafePay is a double-extortion ransomware that steals data before encrypting it, appending “.safepay” to files and dropping the note readme_safepay.txt. All observed intrusions begin with valid-credential logins through SSL-VPN appliances (most often misconfigured FortiGate or similar gateways that either lack MFA or allow local accounts to bypass it). After entry, the actors move laterally with built-in Windows tools, archive loot with WinRAR, transfer it via FileZilla or SFTP, then launch an encryptor derived from leaked LockBit code. The payload deletes shadow copies, blocks Windows recovery, and supports network propagation.
2) Background
- First spotted: October 2024
- Growth: By November 2024 the leak site listed 22 victims. At the time of writing this post, 26th May 2025, SafePay have become one of the most active ransomware groups publishing multiple victims a day.
- Victimology: More than 50 organisations across the United States, Germany, and the United Kingdom, with spikes of 10-plus disclosures per day targeting manufacturing, business services, and education.
- Business model: Indicators point to a small core team offering a closed operation based on repurposed LockBit source, evidenced by identical command-line flags and ChaCha20 + x25519 encryption routines. Their dark web data leak site claims they do not run Ransomware-as-a-service.
3) Attack Vector
| Stage | Technique | Notes |
|---|---|---|
| Initial access | VPN credential abuse | Local or LDAP accounts allowed to authenticate against SSL-VPN without MFA because of misconfigured policies; weak passwords or credentials purchased from brokers. |
| Foothold | RDP from inside VPN pool | Operator logs in interactively the morning of, or day before, exfiltration and encryption, often with workstation name pattern WIN-*. |
| Discovery | ShareFinder.ps1, net.exe, nltest.exe | Enumerates shares and domain controllers. |
| Lateral move | Admin shares, SMB copy of encryptor | UNC paths used to push locker.dll or 1.exe across servers. |
4) Privilege Escalation and Persistence
- UAC bypass via CMSTPLUA COM interface triggered by the -uac switch in the encryptor, spawning
DllHost.exeas parent. - Token impersonation & SeDebugPrivilege enabled inside the payload to access protected processes.
- ScreenConnect service creation (
ScreenConnect Client, auto-start, LocalSystem) for remote persistence after VPN entry.
5) Tools Observed
| Phase | Tool / Binary | What to hunt for |
|---|---|---|
| Recon | ShareFinder.ps1, nltest.exe, net.exe | PowerShell script execution from unexpected admin boxes; rapid share enumeration |
| Credential access | soc.dll (QDoor backdoor), LSASS dumps | WerFault.exe spawned in suspended state, UPX-packed DLLs |
| Lateral movement | ScreenConnect, psexec, UNC copy | New ScreenConnect installs outside IT estate; sudden psexec to many hosts |
| Exfiltration | WinRAR (split 5 GB volumes), FileZilla / fzsftp.exe | Large .rar chains in temp paths, outbound FTP or TON network traffic |
| Impact | regsvr32.exe locker.dll, SafePay encryptor flags -network, -selfdelete, -enc=1 | .safepay extension, Defender disabled via GUI, vssadmin delete shadows |
6) Data Impact
SafePay runs a classic double extortion playbook. Data is compressed with WinRAR, shipped out via FTP or TON storage, and directory indexes on the leak portal let visitors browse or download archives. Encryption is partial-block ChaCha20, fast-threaded, and accompanied by anti-recovery commands (bcdedit /set recoveryenabled no).
Stay ahead of SafePay with Strand Intelligence
Time is critical once SafePay lands through your VPN. Strand Intelligence automatically traces VPN logins, detects ScreenConnect implants, and identifies data stages and exfiltrated by the group. Let Strand pinpoint SafePay’s entry point, contain its persistence, and generate a full forensic report so you can recover quickly and patch the root cause.