SafePay Ransomware Hits 73 Organizations in Just One Month

SafePay, an emerging ransomware group, has rapidly ascended from obscurity to notoriety in 2025. In June alone, the group claimed responsibility for attacks on 73 organizations, topping Bitdefender’s Threat Debrief rankings for the month.

July saw another surge, with 42 victims added to its toll. With more than 270 claimed victims to date this year, SafePay’s clandestine methods and rejection of the ransomware-as-a-service (RaaS) model mark it as a uniquely dangerous actor in the cyber-crime ecosystem.

SafePay first appeared in September 2024, shortly after global law enforcement disrupted the ALPHV (BlackCat) operation and seized LockBit infrastructure during Operation Cronos.

Initial forensic analysis revealed code similarities between SafePay and LockBit Black, particularly the use of the ChaCha20 encryption algorithm.

However, SafePay diverges in key respects: it generates a unique symmetric key for each file and embeds a master key within the ...