SafePay Ransomware Uses RDP and VPN Access to Infiltrate Organizational Networks

SafePay ransomware has become one of the most active and destructive threat actors in Q1 2025, a shocking development in the cybersecurity scene.

According to the Acronis Threat Research Unit (TRU), SafePay has aggressively targeted over 200 victims worldwide, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across diverse industries.

Unlike many ransomware groups that operate under a ransomware-as-a-service (RaaS) model with affiliates, SafePay maintains centralized control over its operations, infrastructure, and negotiations.

A Rapid Rise to Infamy in Q1 2025

This strategic approach, combined with recycled yet highly effective tactics, has enabled the group to execute devastating attacks, such as the recent disruption of Ingram Micro, a global distributor serving thousands of partners and MSPs.

SafePay’s rapid ascent and sophisticated methods highlight a growing challenge for organizations striving to protect their networks from such insidious threats.

SafePay, first identified in 2024 with over ...