Overview

First confirmed activity of SafePay ransomware emerged in September 2024 and since their conception, the group has consistently increased its monthly activity. In March 2025, SafePay ransomware was the fourth most active group, posting 43 confirmed victims to their dark web Data Leak Site (DLS). The group has actively targeted both public and private sectors worldwide, including significant targeting of organisations within the United States (US), Germany, and the United Kingdom (UK). Attacks against the US and German are often conducted in large waves of 10+ attacks a day.

SafePay ransomware operators are reported to gain initial access via victim endpoints through a VPN gateway using valid credentials, likely obtained through stealware or purchasing from dark web markets. The group highly likely also conducts attacks via the exploitation of VPN vulnerabilities, however, know confirmed vulnerabilities are known at this time.

SafePay ransomware threat actors apply the double-extortion technique whereby they exfiltrate data prior to encryption. They demand payment in cryptocurrency and threaten to leak the stolen data on their leak site if the ransom is not paid.