Summary
SafePay is a double-extortion ransomware that steals data before encrypting it, appending “.safepay” to files and dropping the note readme_safepay.txt. All observed intrusions begin with valid-credential logins through SSL-VPN appliances (most often misconfigured FortiGate or similar gateways that either lack MFA or allow local accounts to bypass it). After entry, the actors move laterally with built-in Windows tools, archive loot with WinRAR, transfer it via FileZilla or SFTP, then launch an encryptor derived from leaked LockBit code. The payload deletes shadow copies, blocks Windows recovery, and supports network propagation.
Background
First spotted: October 2024
Growth: By November 2024 the leak site listed 22 victims. At the time of writing this post, 26th May 2025, SafePay have become one of the most active ransomware groups publishing multiple victims a day.
Victimology: More than 50 organisations across the United States, Germany, and the United Kingdom, with spikes of 10-plus disclosures per day targeting manufacturing, business services, and education.
Business model: Indicators point to a small core team offering a closed operation based on repurposed LockBit source, evidenced by identical command-line flags and ChaCha20 + x25519 encryption routines. Their dark web data leak site claims they do not run Ransomware-as-a-service.
Attack Vector
Privilege Escalation and Persistence
UAC bypass via CMSTPLUA COM interface triggered by the -uac switch in the encryptor, spawning
DllHost.exeas parent.Token impersonation & SeDebugPrivilege enabled inside the payload to access protected processes.
ScreenConnect service creation (
ScreenConnect Client, auto-start, LocalSystem) for remote persistence after VPN entry.
Tools Observed
Phase | Tool / Binary | What to hunt for |
|---|---|---|
Recon | ShareFinder.ps1, nltest.exe, net.exe | PowerShell script execution from unexpected admin boxes; rapid share enumeration |
Credential access | soc.dll (QDoor backdoor), LSASS dumps | WerFault.exe spawned in suspended state, UPX-packed DLLs |
Lateral movement | ScreenConnect, psexec, UNC copy | New ScreenConnect installs outside IT estate; sudden psexec to many hosts |
Exfiltration | WinRAR (split 5 GB volumes), FileZilla / fzsftp.exe | Large .rar chains in temp paths, outbound FTP or TOR network traffic |
Impact | regsvr32.exe locker.dll, SafePay encryptor flags -network, -selfdelete, -enc=1 | .safepay extension, Defender disabled via GUI, vssadmin delete shadows |
Data Impact
SafePay runs a classic double extortion playbook. Data is compressed with WinRAR, shipped out via FTP or TON storage, and directory indexes on the leak portal let visitors browse or download archives. Encryption is partial-block ChaCha20, fast-threaded, and accompanied by anti-recovery commands (bcdedit /set recoveryenabled no).
Stay ahead of SafePay with Strand Intelligence
Time is critical once SafePay lands through your VPN. Strand Intelligence automatically traces VPN logins, detects ScreenConnect implants, and identifies data stages and exfiltrated by the group. Let Strand pinpoint SafePay’s entry point, contain its persistence, and generate a full forensic report so you can recover quickly and patch the root cause.
Written by
Oli
The Strand team specializes in digital forensics, incident response, and cybersecurity threat analysis.