A new ransomware threat has emerged as one of 2025\u2019s most prolific cybercriminal operations, with SafePay ransomware claiming attacks against 73 victim organizations in June alone, followed by 42 additional victims in July.<\/p>\n
This surge has positioned SafePay as a significant threat actor that security teams worldwide must understand and prepare to defend against.<\/p>\n
Unlike traditional ransomware-as-a-service<\/a> (RaaS) models that rely on affiliate networks, SafePay operates as a closed, independent group that maintains strict operational security.<\/p>\n The group\u2019s rapid-fire attack methodology has proven remarkably effective, with more than 270 claimed victims documented throughout 2025.<\/p>\n Their operations target primarily mid-size and enterprise organizations across the United States, Germany, Great Britain, and Canada, focusing on industries critical to daily operations including manufacturing, healthcare, and construction.<\/p>\n The group\u2019s emergence can be traced back to September 2024, arising in the aftermath of significant law enforcement operations that dismantled ALPHV (Black Cat) and severely disrupted LockBit\u2019s infrastructure through Operation Cronos.<\/p>\n Bitdefender analysts identified<\/a> parts of the SafePay ransomware that complement functionalities associated with LockBit, specifically LockBit Black, though the groups operate with distinctly different methodologies and encryption processes.<\/p>\n SafePay demonstrates an alarming capability to execute complete attack chains within 24-hour periods, moving from initial access through encryption with devastating efficiency.<\/p>\n Their victim selection appears methodical, targeting organizations with revenues typically around $5 million, though outliers include entities with revenues exceeding $100 million and one victim surpassing $40 billion in revenue.<\/p>\n SafePay employs sophisticated technical approaches that distinguish it from other ransomware families.<\/p>\n The malware<\/a> utilizes the ChaCha20 encryption algorithm, implementing unique symmetric keys for each encrypted file while embedding additional keys directly within the ransomware executable.<\/p>\n This dual-key approach complicates recovery efforts and ensures that each victim\u2019s encryption remains uniquely secured.<\/p>\n The ransomware demonstrates advanced defense evasion capabilities, including debugger detection avoidance and the ability to terminate processes associated with anti-malware<\/a> functions.<\/p>\n Upon execution, SafePay<\/a> immediately begins removing volume shadow copies to prevent system restoration, then proceeds to encrypt files with the .safepay extension while deploying ransom notes named \u201creadme_safepay.txt\u201d in affected directories.<\/p>\n One notable technical characteristic involves the malware\u2019s geographic targeting logic.<\/p>\n SafePay performs language keyboard detection to identify systems using Cyrillic keyboards, preventing execution on these systems, suggesting potential Russian connections or alliances within the threat actor ecosystem.<\/p>\n The post SafePay Ransomware Claiming Attacks Over 73 Victim Organizations in a Single Month<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcrOqW3qTkq0V8EZ93_M8BCJErevLnF3wzPx9rJ4bKzHAP-jttQMpGW_cHRU9HmsQQS7hHKcgUy2kEYcyJEqU8uitQXgOuKpcp_zNWZkyB752UXY-JyEXPxkTHXId3yObNNn2yv5218bhAR2MCTi7ZLtP4FsqzARNL12cgjXSFHTXqBUl-WfxDG91xAII\/s16000\/Most%2520affected%2520industries%2520%28Source%2520-%2520Bitdefender%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjIT8J_oJ1C7cAvY_joUhPqoVMPnnc5NKnI_FaOh9N_KZ4veWzuOrsf9YBB1l68xyulHdJgHm49_GY0jn3K76tQ6XsJTDrlz_E5b3oBZ-zABkokncNuq_5cUzmGMtBq6S_usj9b8WXTUAsLzrELQks0fOYG4t7WX_2WN2t7VtJBloq40yZAv8q5CHaLfuc\/s16000\/SafePay%25E2%2580%2599s%2520Victims%2520Claimed%2520Per%2520Day%2520%28Source%2520-%2520Bitdefender%29.webp?ssl=1\")
Encryption and Evasion Mechanisms<\/strong><\/h2>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n