MOXFIVE Threat Actor Spotlight - SafePay

SafePay is a ransomware operation first observed in September 2024. Unlike affiliate-based programs, it does not operate as  Ransomware-as-a-Service (RaaS) and instead functions as a closed, internally managed group. Since its emergence, SafePay has grown rapidly, with its leak site listing more than 300 victims.

The group employs a double-extortion model, exfiltrating data before encrypting systems to increase leverage during negotiations. SafePay activity has most frequently impacted technology and manufacturing organizations, with the United States accounting for the majority of confirmed victims. Its operations rely on compromised credentials and remote-access abuse for entry, followed by the use of native Windows utilities, open-source scripts, and commodity tools to conduct discovery, exfiltration, and encryption.

Figure 1: SafePay data leak site.

Key Highlights

Industries impacted by SafePay:

Since SafePay entered the threat landscape, they have primarily targeted technology and manufacturing and production organizations. These are followed by education, in addition to retail and hospitality, which together represent a significant portion of observed victims. Healthcare organizations have also been impacted, though at lower levels, maintaining a consistent presence among the group’s posted victims.
‍

Global lnsights:

Victims impacted by SafePay span across countries in multiple regions with the United States accounting for the largest share of confirmed activity. Germany followed as the second most impacted country, while Canada and the United Kingdom each represented smaller portions of observed victims. Australia was also affected, though at a lower level compared to other regions.
‍

Figure 2: Industries Impacted by SafePay

Initial Access:

Since emerging in late 2024, SafePay has primarily relied on exposed remote-access services and compromised credentials to gain entry to victim environments.

• ‍Valid Credentials: Access obtained using stolen, leaked, or purchased credentials for VPN portals, cloud consoles, and other remote-access authentication points.
• RDP Compromise: Compromised or exposed Remote Desktop Protocol (RDP) endpoints and weak or reused passwords used to gain interactive access to internal hosts.
• VPN and Edge Device Compromise: Misuse of VPN accounts and likely targeting of VPN or other internet-facing appliances and services, including remote desktop gateways and firewalls, as entry points.

Encryption and Exfiltration:

SafePay uses a double-extortion model. The threat actors’ stage and compress stolen data before exfiltrating it to infrastructure under their control. Following exfiltration, the ransomware encrypts files and leaves a ransom note on affected systems directing victims to a Tor-based negotiation site. Recovery mechanisms such as shadow copies are often deleted, and leak-site publication is used to escalate pressure when negotiations fail.
‍

Tooling and Execution:

SafePay threat actors combine native Windows utilities, open-source scripts, commodity tooling, and a bespoke encryptor to accelerate discovery, staging, exfiltration, and impact. Activity emphasizes automation, credential reuse, and removal of artifacts to limit detection and recovery.

• Execution: PowerShell, WMI, the Windows command shell, and remote execution tools are used to run collection scripts, deploy the encryptor, and automate impact across hosts.
• Persistence and Defense Evasion: New local administrator accounts are created, endpoint protections are disabled or tampered with, and logs and other artifacts are cleaned to reduce visibility.
• Credential Access: Credential dumping tools are used to extract and reuse credentials for privilege escalation and lateral movement.
• Discovery: Native enumeration commands and ShareFinder.ps1 identify domain relationships, network shares, and high-value file stores for collection and staging.
• Lateral Movement: Remote Desktop Protocol, SMB and administrative shares, and remote execution tools are used to access file servers and validate targets ahead of collection.
• Collection and Exfiltration: Files are staged and compressed with 7-Zip or WinRAR, then transferred to infrastructure under threat actor control using channels such as FTP/FileZilla or cloud-upload tools.
• Impact and Cleanup: A bespoke SafePay encryptor performs final encryption and appends the .safepay extension. Volume shadow copies and other recovery artifacts are deleted prior to or during encryption.
• Extortion: Stolen data is posted to a Tor-hosted leak site and used to escalate pressure when negotiations fail.

If you would like to know more about SafePay or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.