Cyberdudebivash

SafePay — Ransomware Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence — updated Aug 31, 2025 (IST)

Executive summary

SafePay is a fast-rising double-extortion ransomware operation first widely reported in late-2024. It appends the .safepay extension and drops readme_safepay.txt, with victims funneled to a Tor portal for negotiation. In 2025 it rapidly climbed league-tables (hundreds of posted victims), with repeated targeting of MSPs/SMBs and heavy pressure tactics (spam “email bombs” + vishing). Reporting differs on whether SafePay is a classic RaaS or a closed crew—the group’s own site has stated “not RaaS,” while other vendors track affiliate-style behavior. Huntressransomware.liveAcronisBarrcuda BlogMediumHalcyon

Scale & momentum. Open trackers show ~300+ posted victims through Aug 29, 2025 (varies by source and methodology). Vendors consistently place SafePay among the most active crews in 1H-2025. ransomware.liveQuorum CyberCheck Point Software

Who/what is SafePay (2024–2025 profile)

  • First public sightings: Oct–Nov 2024 (Huntress IR); by Q1-2025 SafePay was a top-10 active group. HuntressCheck Point Software
  • Victimology: concentration in the U.S. and Germany; notable MSP exposure cascades to downstream clients. MediumAcronis
  • Business model: mixed reporting — SafePay’s portal claims not RaaS, while other research frames activity as RaaS-like with frequent victim disclosures and affiliate-style ops. Treat attribution carefully. MediumHalcyon
  • Headline case: claim of the Ingram Micro breach (July 2025) with multi-terabyte theft, underscoring supply-chain risk. Dark Reading

Technical tradecraft & attack chain (MITRE ATT&CK)

Initial access — TA0001

  • Edge/VPN weaknesses: real-world breaches traced to FortiGate policy misconfiguration that allowed local accounts to authenticate to VPN and bypass MFA; weak admin passwords compounded impact. NCC Group
  • Credential & IAB routes: password spraying against VPNs; valid-account abuse. Medium
  • Social pressure: large-scale spam “email bombs” against staff and phone calls (vishing) to force negotiations. Barrcuda Blog

Persistence / Priv-Esc / Discovery — TA0003/TA0004/TA0007

  • RMM for foothold: creation of ScreenConnect service for access; QDoor backdoor observed in intrusions. NCC Group
  • AD & shares: targeted discovery of shares (e.g., SharpShares), domain escalation to DA, then rapid staging. Medium

Lateral movement / C2 — TA0008/TA0011

  • RDP/SMB push of the encryptor (e.g., start C:\1.exe -pass=<…> -path=\\host\C$ -enc=1). NCC Group

Exfiltration — TA0010

  • Archive-and-ship: operators compress critical data with WinRAR; multi-hundred-GB thefts observed; transport varies by affiliate. Medium

Impact (Encryption) — TA0040 / T1486

  • On-disk markers: .safepay extension + readme_safepay.txt note. Huntress
  • Arguments & behavior: requires -pass to decrypt embedded config/keying material; supports percent/intermittent encryption via -enc (e.g., 10% chunks). Executes shadow-copy deletion and boot-recovery suppression (vssadminwmic shadowcopybcdedit). NCC Group
  • Crypto design: Windows-focused encryptor written in C with asynchronous Overlapped I/O; selects AES-CBC when AES-NI is present, otherwise ChaCha20; per-file keys derived with Curve25519; 80-byte metadata appended. (Earlier samples had a Cyrillic-language kill-switch; newer analyses did not observe it.) Medium

Artifacts & IOCs (use behavior over hashes)

  • Files/notes: readme_safepay.txt and *.safepay across many directories. Huntress
  • Process/CLI tells: SafePay launched with -pass-enc-path-network-selfdelete; Restart-Manager-like handle kills preceding encryption. NCC Group
  • Anti-recovery sequence: vssadmin delete shadows /all /quiet → wmic shadowcopy delete → bcdedit tweaks. NCC Group
  • Infrastructure hints: Tor portal noted in multiple cases; operators may use ScreenConnect services and QDoor C2. NCC Group

Detection & hunting (quick wins you can deploy today)

Identity/edge

  • Alert on VPN auth by local accounts and admin logons without MFA; watch for FortiGate/SSL-VPN policy drifts enabling local+LDAP auth. NCC Group

Endpoint / EDR

  • Chain detection: shadow-copy deletion → service/process stops → mass file renames/writes → readme_safepay.txt.
  • Look for SafePay-style CLI usage (-pass/-enc/-path). NCC Group

Network

  • Spikes of RDP and SMB Admin$ pushes from a single host; unusual RAR archive creation followed by high-volume egress. NCC GroupMedium

User-pressure signals

  • Bursts of 3k+ spam emails within ~45 minutes to staff; help-desk vishing post-encryption. Coordinate SOC + IT comms. Barrcuda Blog

Mitigation priorities (what actually reduces risk)

  1. FortiGate/VPN hardening: disallow local accounts for VPN auth; enforce MFA on all admins; audit policies after firmware updates. NCC Group
  2. RMM control: default-deny new ScreenConnect/AnyDesk installs; inventory and alert on first-seen RMM services. NCC Group
  3. Credential hygiene: rotate privileged passwords; block password spraying; conditional access with FIDO2/WebAuthn. Medium
  4. Exfil choke points: restrict server SFTP/HTTP POST egress; DLP for RAR archives; Tor egress blocking. Medium
  5. Resilience: offline/immutable backups; protect hypervisors & backup servers; practice double-extortion comms. (Many 2025 victims recovered without paying.) IT Pro

Rapid response playbook (print-ready)

  1. Contain — disable suspicious VPN sessions; isolate staging hosts; block Tor/SFTP from servers.
  2. Preserve — snapshot VMs; collect FortiGate/VPN, AD, EDR, email-gateway logs; mirror any exfil endpoints.
  3. Hunt — search for readme_safepay.txt*.safepay, SafePay CLI args, vssadmin + bcdedit combos, RDP/SMB push patterns, ScreenConnect services, QDoor beacons. NCC Group
  4. Eradicate — fix VPN policy; rotate creds; remove new admins/services/scheduled tasks; de-install rogue RMM.
  5. Recover — restore from immutable backups on segmented networks; throttle egress; validate with canary files.
  6. Notify — regulators & law enforcement as required; prepare disclosure if leak-site post appears.

Sources / further reading

  • Huntress (Nov 2024): first public write-up; .safepay + readme_safepay.txtHuntress
  • DCSO CyTec (May 27 2025): deep technical analysis: region focus, vishing/email-bomb tactics, crypto (AES-NI→AES-CBC else ChaCha20), -pass/-enc, metadata. Medium
  • NCC Group DFIR (2025): FortiGate policy MFA bypass route, ScreenConnectQDoor, SafePay CLI & anti-recovery sequence, percent encryption internals. NCC Group
  • Acronis TRU (Jul 8 2025): surge in 2025, MSP targeting. Acronis
  • Barracuda (Jul 25 2025): email bombs + vishing and high-pressure extortion. Barrcuda Blog
  • Check Point / Quorum Cyber / SOCRadar (2025): activity rankings and timeline context. Check Point SoftwareQuorum CyberSOCRadar® Cyber Intelligence Inc.
  • Dark Reading (Jul 31 2025): Ingram Micro claim & ransom deadline reporting. Dark Reading
  • Ransomware.live tracker: running victim count & recency stats (changes daily). ransomware.live

#CyberDudeBivash #SafePay #Ransomware #DoubleExtortion #MSPSecurity #FortiGate #VPN #ScreenConnect #DFIR #XDR #MITREATTACK #ThreatIntel

Leave a comment

Design a site like this with WordPress.com
Get started