SafePay Ransomware Strikes 260+ Victims Across Multiple Countries

The SafePay ransomware organization has quickly become a powerful operator since its initial detection in September 2024, marking a startling increase in the cyber threat scenario.

Unlike predominant ransomware-as-a-service (RaaS) models that rely on affiliates for dissemination and profit-sharing, SafePay operates autonomously, with its core developers directly orchestrating intrusions and extortion campaigns.

This self-contained approach has enabled the group to claim responsibility for over 265 victims globally by early 2025, marking a sharp increase from just over 20 targets in 2024.

Self-Operated Ransomware Threat

The group’s double-extortion strategy involves not only encrypting victims’ files with robust algorithms but also exfiltrating sensitive data for leverage, threatening publication on a dedicated Dark Web leak site (DLS) if cryptocurrency ransoms remain unpaid.

SafePay’s aggressive tactics have disrupted operations across diverse sectors, underscoring the evolving sophistication of non-affiliate ransomware operations that prioritize precision and evasion over widespread affiliate-driven proliferation.

Emerging almost undetected ...