SafePay ransomware has compromised over 260 victims in various nations.

A new ransomware threat has emerged as one of the most aggressive cybercriminal operations of 2025, with SafePay Ransomware claiming responsibility for over 265 successful attacks across multiple continents. The group, which first appeared in September 2024 with limited activity targeting just over 20 victims, has dramatically escalated its operations since early 2025, establishing itself as a formidable force in the global ransomware landscape. Unlike traditional Ransomware-as-a-Service operations that rely on affiliate networks, SafePay operates as a centralised threat actor, conducting attacks directly through its own infrastructure and personnel. This operational model has enabled the group to maintain tighter control over its campaigns while executing sophisticated double-extortion schemes that combine data encryption with the threatened publication of stolen sensitive information on dark web leak sites. The geographic distribution of SafePay’s victims reveals a calculated targeting strategy focused primarily on developed economies, with the United States bearing the brunt of the attacks, followed by Germany, the United Kingdom, Australia, Canada, and various countries throughout Latin America and the Asia-Pacific region.

SafePay Ransomware demonstrates particular effectiveness against manufacturing, technology, education, and business services sectors, although no industry appears immune to its reach. Healthcare, transportation, finance, and public services organisations have also fallen victim to the group’s operations, indicating an opportunistic rather than sector-specific targeting approach. Analysts have identified that SafePay deliberately avoids targeting organisations within Commonwealth of Independent States countries through an embedded language detection mechanism. The malware contains hardcoded checks that cause immediate termination if the infected system is configured for Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Russian, or Ukrainian languages, suggesting the operators seek to avoid prosecution within these jurisdictions. SafePay’s technical sophistication is evident through its multi-layered persistence and defence evasion strategies, employing legitimate remote access tools such as ConnectWise ScreenConnect to maintain long-term network presence and reduce the likelihood of detection by endpoint protection systems.