What is SafePay ransomware?

SafePay is a centralized, closed ransomware operation — not a RaaS — first observed in September 2024. It manages all attack phases in-house: initial access, lateral movement, exfiltration, encryption, and ransom negotiation. Its ransomware binary shares significant code overlap with leaked LockBit 3.0 (LockBit Black), with additional elements resembling ALPHV and INC Ransom. The group is assessed by threat intelligence researchers to include former Conti operators and uses Conti-heritage social engineering techniques. It became the world's most active ransomware group by victim volume in May 2025 and recorded 452 confirmed attacks across 2025 per Flashpoint data.

What happened in the SafePay attack on Ingram Micro?

SafePay attacked Ingram Micro — one of the world's largest IT distributors — on July 2–3, 2025, gaining access via the company's GlobalProtect VPN using valid credentials. Ingram Micro's website, Xvantage AI distribution platform, and Impulse licensing platform went offline globally. The company confirmed detecting ransomware on July 6 and restored full global operations by July 9. SafePay claimed 3.5 TB of stolen data and set an August 1 ransom deadline. In January 2026, Ingram Micro disclosed that 42,521 employees and applicants had personal information exposed, including Social Security numbers, passport numbers, and employment data.

Is SafePay the same as LockBit?

No. SafePay is operationally independent from LockBit. While its ransomware binary shares significant code overlap with the leaked LockBit 3.0 (LockBit Black) builder — including the CMSTPLUA UAC bypass and multi-threaded encryption architecture — the groups run entirely different operational models. LockBit was a large affiliate-based RaaS; SafePay explicitly states it is not a RaaS and has no affiliates. No shared infrastructure or personnel between the two groups have been confirmed. Code overlap reflects deliberate reuse from leaked builder source code, not a successor relationship.

How does SafePay gain initial access?

SafePay primarily gains initial access via valid credentials on exposed VPN gateways (such as Palo Alto GlobalProtect) or RDP endpoints. Credentials are typically obtained through infostealer malware, dark web purchase, or targeted password spraying — using Shodan to identify exposed endpoints and Apollo to map employee names for credential construction. A second documented initial access chain uses Microsoft Teams social engineering (Conti-heritage technique): spam-flooding the victim, then calling posing as IT support via Teams and requesting Quick Assist remote access. This chain bypasses VPN and MFA controls entirely.

How fast does SafePay complete an attack?

SafePay completes the full attack chain — from initial access to encryption — in under 24 hours in documented incidents. In Huntress-analyzed cases, the encryption phase itself began within 15 minutes of the operator reconnecting via RDP for the final stage. This 24-hour timeline is one of the shortest among documented ransomware groups and leaves no room for manual triage or next-business-day response. Organizations must have automated 24/7 alerting on SafePay's behavioral indicators to have any opportunity to intervene before encryption.

What are the strongest detection signals for SafePay?

The most reliable SafePay behavioral indicators, in rough order of when they fire in the attack chain: (1) ShareFinder.ps1 execution in temp directories or admin shares — SMB enumeration within minutes of initial access; (2) DLLHost.exe invoking CMSTPLUA COM object — UAC bypass before Windows Defender is disabled; (3) systemsettingsadminflows.exe disabling Defender settings; (4) WinRAR or FileZilla install-use-uninstall cycle with large archive creation; (5) wmic shadowcopy delete — fires immediately before encryption and should trigger P0 escalation; (6) bcdedit /set {default} recoveryenabled No; (7) .safepay file extension and readme_safepay.txt ransom note.

SafePay | Threat Actor Profile

SafePay is a centralized, closed ransomware operation — not a RaaS — that first appeared in September 2024 and accelerated to become the world's most active ransomware group in May 2025. Built on code sharing significant similarities with the leaked LockBit 3.0 (LockBit Black) builder, SafePay manages all attack phases in-house: initial access, lateral movement, exfiltration, encryption, and ransom negotiation. Its July 2025 attack on Ingram Micro — one of the world's largest IT distributors — brought the group to international attention. By early 2026, SafePay had claimed over 400 victims in under 18 months of operation.

attributed origin Eastern Europe / Russia (assessed — early Cyrillic kill-switch; CIS country avoidance; TON blockchain use)

operational model Centralized — no affiliates; all operations in-house; self-described on leak site as non-RaaS

first observed September 2024 (first activity); first publicly documented November 2024 by Huntress

primary motivation Financial — double extortion; all proceeds retained by core group

primary targets SMBs, MSPs, IT Distributors, Manufacturing, Healthcare, Construction, Legal, Financial Services

confirmed victims 452 confirmed attacks in 2025 (Flashpoint 2026 Global Threat Intelligence Report); 400+ total claimed as of early 2026; #1 globally by volume in May 2025 (70 claimed per NCC Group Q2 2025 report); peak month June 2025 (73 victims per Bitdefender); US 174 / Germany 80 / UK 25 / Canada 24 / Australia 13 (Ransomware.live, March 2026)

mitre att&ck group Unassigned (no formal G-number as of March 2026)

cisa advisory None issued as of March 2026

threat level HIGH — no law enforcement disruption; 24-hour breach-to-encryption window

Overview

SafePay emerged in September 2024 — into the vacuum left by Operation Cronos (February 2024 LockBit takedown) and the ALPHV exit scam — and within eight months had surpassed every other active ransomware group in monthly victim volume. It reached its first major public milestone in November 2024 when Huntress published the first technical analysis of two customer incidents. The Ingram Micro attack in July 2025 brought SafePay to mainstream attention.

What makes SafePay structurally unusual in the 2025 ransomware landscape is its explicit rejection of the affiliate model. The group's own leak site states it is not a RaaS operation. There is no public affiliate recruitment on cybercriminal forums, no profit-sharing structure with external operators, and no public advertising of the group's services. The fact that SafePay reached the #1 position globally without affiliates indicates a well-resourced, disciplined core team executing operations at volume internally — a deliberate OPSEC strategy contrasting with the forum-visible, affiliate-dependent model that exposed LockBit and ALPHV to law enforcement infiltration.

The code lineage is established but nuanced. Analysis by Acronis, Huntress, and Bitdefender confirmed SafePay's ransomware binary shares significant structural similarities with LockBit 3.0 (LockBit Black) — including the UAC bypass via CMSTPLUA, multi-threaded encryption architecture, and the decryption routine structure. AttackIQ and ProvenData additionally identified code elements resembling ALPHV/BlackCat and INC ransomware alongside the LockBit components, suggesting the operators drew from multiple leaked builders rather than exclusively LockBit Black. Encryption scheme reporting differs between early and later analyses: Huntress's November 2024 first-look reported ChaCha20; Acronis TRU's subsequent sample analysis confirmed AES+RSA. Both may reflect accurate observations across different sample versions. The binary is a DLL requiring regsvr32.exe or rundll32.dll for execution, and critically requires a mandatory -pass= command-line argument to decrypt internal strings before execution — a design choice that defeats automated sandbox detonation since the sample will not run without the correct password. SafePay is assessed as operationally independent from LockBit: the groups run entirely different models (closed vs. open RaaS), and no shared infrastructure or personnel have been confirmed. Code overlap reflects deliberate reuse from leaked builders, not a successor relationship.

An important operator lineage assessment — distinct from the code lineage question — comes from Red Sense co-founder Yelisey Boguslavskiy, who investigated SafePay for a TLP:RED report and assessed the group as a post-Conti operation. Boguslavskiy concluded that SafePay operators employ "standard Conti TTPs," likely include former Conti members, and that SafePay's emergence in fall 2024 was "the primary reason for BlackBasta's dissolution and the subsequent Basta leaks" — with SafePay assessed as having siphoned key talent from Black Basta as that group fragmented. This is a separate claim from the LockBit code analysis and carries different evidentiary weight: it is a moderate-confidence intelligence assessment from a TLP:RED report, not a confirmed technical finding. Notably, Boguslavskiy told Infosecurity Magazine that SafePay's locker is "custom-built and brand new, not a Conti or LockBit derivative" — reconciling both assessments: the binary may draw from leaked builder code while the operators themselves carry Conti operational heritage. SafePay's Conti-style social engineering techniques (described below in TTPs) add supporting weight to this lineage assessment.

Early SafePay samples included a Cyrillic keyboard language kill-switch — preventing execution on CIS country systems — consistent with Eastern European or Russian origin and standard jurisdictional self-protection. This kill-switch was removed in later builds, expanding the potential target pool. The group also integrates TON (The Open Network, Telegram's decentralized internet) as an additional communication and ransom channel alongside its Tor DLS — a relatively novel choice among ransomware operators.

MSP and supply chain risk

SafePay explicitly targets managed service providers and IT distributors — organizations whose compromise cascades to downstream clients. The Ingram Micro attack affected partners and customers across the US, Europe, and Asia simultaneously. The October 2024 Microlise attack disabled fleet tracking for DHL and removed tracking and panic alarms from Serco prisoner transport vehicles — downstream effects from a single vendor compromise. Organizations that rely on MSPs or IT distributors should evaluate those vendors' security posture as part of their own risk assessment.

Target Profile

SafePay's targeting is financially opportunistic. The group prioritizes organizations with exposed VPN and RDP endpoints, weak or purchasable credentials, and sufficient revenue to pay meaningful ransoms — rather than applying strict sector mandates.

Managed Service Providers and IT Distributors: The highest-leverage target class. A single MSP breach can provide access to dozens of client environments simultaneously. Ingram Micro represents the group's most impactful confirmed victim — a global distributor serving thousands of downstream reseller and MSP partners across multiple continents. SafePay's early victim profile was heavily weighted toward MSPs and IT service companies, suggesting deliberate upstream targeting strategy rather than purely opportunistic scanning.
Manufacturing and Construction: Confirmed as SafePay's highest-volume target sectors by DLS disclosure counts. Manufacturing organizations often face OT/IT convergence pressures to restore quickly, and construction firms hold sensitive project data, client PII, and financial records with significant dark web value.
Healthcare: Healthcare providers appear consistently across the victim list. HIPAA exposure and patient care continuity requirements create strong payment pressure. SafePay's sub-24-hour breach-to-encryption window is particularly dangerous for healthcare environments where detection and IR cycles may not be fast enough to evict the threat before encryption.
Legal and Financial Services: Law firms and financial institutions hold extraordinarily sensitive client data including litigation strategy, confidential settlements, and financial records — sectors where the regulatory and reputational consequences of a public breach are severe enough to drive payment even when technical recovery is possible.
Geographic concentration: The United States is the primary target, with current Ransomware.live data showing 174 confirmed US victims, followed by Germany (80) and the United Kingdom (25), Canada (24), and Australia (13). Flare's January 2026 analysis of 500 SafePay leak records showed US at 158 victims, Germany at 76. Earlier July 2025 figures (US 96, Germany 46, UK 12 per Infosecurity Magazine / Ransomware.live at that time) reflect the rapid growth in victim count through H2 2025. In Q1 2025, SafePay accounted for 24% of all reported ransomware victims in Germany — the highest percentage for any single ransomware group in any country tracked in Check Point's Q1 2025 State of Ransomware report, suggesting deliberate German campaign prioritization. In March and April 2025, SafePay conducted what researchers described as coordinated waves of 10+ attacks per day against German-based organizations. Canada is also a significant documented target country.

Tactics, Techniques & Procedures

TTPs sourced from Huntress incident response analysis (November 2024), Acronis TRU sample analysis, Bitdefender Threat Debrief (June 2025), ThreatLocker Intelligence (November 2025), and Picus Security analysis (February 2026). SafePay's consistent, repeated TTP pattern across incidents — even as volume scaled significantly — reflects centralized operational coordination rather than diverse affiliate behavior.

mitre id	technique	description
T1078	Valid Accounts	Primary initial access method. SafePay obtains valid VPN or RDP credentials through stealware, dark web purchase, or OSINT-assisted brute force — using Shodan to identify exposed endpoints and Apollo to map employee names for targeted password spraying (e.g., johndoecompanyname123 patterns). The Ingram Micro breach was confirmed as entering via the company's Palo Alto GlobalProtect VPN gateway using leaked credentials — the most specific public confirmation of a VPN platform targeted by SafePay. In both Huntress-analyzed incidents, all threat actor IP addresses were in the internal VPN range — no external-origin traffic, no new accounts created, no persistence deployed before encryption. This makes initial access detection dependent entirely on credential monitoring and behavioral analytics.
T1021.001	Remote Services: RDP	RDP used for interactive access after VPN credential access is established. Notably, SafePay does not enable RDP where it does not already exist — the group works with existing access rather than creating new remote access paths, keeping the tool footprint minimal and avoiding common new-service-installation alerts.
T1566 / T1204	Social Engineering: Teams / Quick Assist Delivery	A second documented initial access chain — assessed as Conti-heritage tradecraft by Red Sense — involves spam-flooding the target organisation, then calling the victim posing as their IT department via Microsoft Teams while the target is panicking about the spam. Attackers, impersonating independent third-party IT vendors, ask the victim to share screen access via Microsoft Quick Assist for a "security review." Once remote access is granted, operators drop a PowerShell script and maintain network presence for up to a week for reconnaissance, followed by a further week of slow lateral movement toward exfiltration targets. This technique bypasses VPN credential requirements entirely and is distinct from the credential-based initial access chain — representing a second, socially-engineered entry path documented by Red Sense threat intelligence (July 2025).
T1046	Network Service Discovery	ShareFinder.ps1 (Invoke-ShareFinder from the open-source PowerTools/Veil-PowerView project) used to enumerate all accessible SMB shares across the domain immediately post-access. The script maps the network and feeds accessible share paths directly into the encryption process. Execution is typically among the first post-access actions — observed within minutes of initial RDP connection in Huntress-analyzed incidents. Google Cloud / Mandiant additionally documented SafePay staging NETSCAN on multiple hosts via SMB in at least one 2025 incident — providing a broader network mapping capability alongside ShareFinder.
T1548.002	Abuse Elevation: Bypass UAC	UAC bypass via the CMSTPLUA COM interface — shared with LockBit and ALPHV/BlackCat, and a direct indicator of LockBit Black code lineage. The SafePay binary supports a -uac command-line flag to trigger elevated ShellExecuteW via DllHost.exe invoking CMSTPLUA. Token impersonation and SeDebugPrivilege escalation also documented. DLLHost.exe invoking CMSTPLUA is a reliable SafePay detection signal for EDR behavioral rules.
T1562.001	Impair Defenses: Disable Tools	Windows Defender disabled using systemsettingsadminflows.exe — a LOTL technique that makes the change appear as a legitimate Windows Settings GUI action. Additional PowerShell commands modify Defender policies. The encryptor contains a hardcoded encrypted kill list of services and processes terminated before encryption runs, including SQL Server, Oracle, Firefox, Excel, OneNote, Outlook, Steam, access databases, and backup/AV services.
T1560.001	Archive Collected Data: WinRAR	WinRAR used to archive files for exfiltration, with command-line arguments uncommon in legitimate WinRAR use (detectable via Sigma rules). FileZilla installed for FTP-based exfiltration alongside WinRAR archiving. Both tools are installed, used, then uninstalled — and the install-use-uninstall cycle is repeated across multiple sessions, minimizing on-disk artifact duration. Rclone and 7-Zip have also been documented as exfiltration tools.
T1041	Exfiltration Over C2	Data exfiltrated to SafePay-controlled infrastructure via FileZilla (FTP) and Rclone before encryption. The RDP clipboard is also used for small transfers. SafePay maintains presence on both the Tor network (DLS) and TON (The Open Network, Telegram-developed) for ransom communications — providing a decentralized, Tor-independent secondary channel.
T1490	Inhibit System Recovery	VSS shadow copies deleted via wmic shadowcopy delete. Boot configuration tampered via bcdedit to disable Windows Recovery Environment, preventing system recovery on reboot. Event logs cleared to hinder forensic analysis. Third-party backup software services explicitly terminated via the hardcoded kill list. In some documented incidents, operators changed all administrator passwords before initiating encryption — locking the victim organisation out of its own infrastructure simultaneously with the encryption phase, eliminating the possibility of real-time credential-based intervention. In Huntress-analyzed incidents, the full sequence from RDP reconnection to encryption initiation completed in under 15 minutes.
T1486	Data Encrypted for Impact	SafePay encryptor is a PE32 DLL with fake compilation timestamp, sometimes compressed with UPX. Uses ChaCha20 with a custom symmetric/asymmetric key generation scheme that differs from LockBit's standard pattern despite shared code lineage. Creates a per-victim mutex to prevent multiple instances. Encrypted files carry the .safepay extension. Drops readme_safepay.txt ransom note containing Tor DLS link, TON site link, and a victim client ID. Ransom notes begin: "Greetings! Your corporate network was attacked by SafePay team."
T1070	Indicator Removal	WinRAR and FileZilla uninstalled after each use. PowerShell history cleared. Post-encryption cleanup removes remaining tools. The install-use-uninstall pattern repeated across multiple sessions reduces the static artifact footprint available to incident responders and makes timeline reconstruction more difficult.

Known Campaigns

Microlise — UK Telematics October 2024

SafePay's first high-profile confirmed attack targeted Microlise, a UK-based telematics company providing fleet tracking and vehicle management services to major logistics and transport operators. The attack exfiltrated approximately 1.2 TB of data with a ransom demand issued within less than 24 hours of breach detection — establishing SafePay's hallmark sub-24-hour attack timeline. The downstream impact extended well beyond Microlise: the attack disabled fleet tracking for DHL shipments and removed tracking capabilities and panic alarms from Serco prisoner transport vehicles, highlighting the supply chain risk inherent in targeting transportation technology vendors.

Conduent — Business Process Services January 2025

SafePay attacked Conduent, a major business process services provider that handles payment processing and mailroom services for government agencies and healthcare organizations. The breach took systems offline for several days, disrupting services for downstream clients including government payers and healthcare facilities. The data breach ultimately compromised information belonging to over 25 million individuals — affecting employees of Volvo Group, members of Premera Blue Cross and Humana, and policyholders across multiple Blue Cross Blue Shield branches. Notifications to affected individuals began approximately nine months after the breach was discovered, with the confirmed victim count continuing to grow through the audit process.

Ingram Micro — Global IT Distributor July 3, 2025

SafePay attacked Ingram Micro — one of the world's largest IT product distributors, serving thousands of reseller partners and MSPs across more than 60 countries — beginning July 2–3, 2025. Initial access was via the company's GlobalProtect VPN gateway using valid stolen credentials. Ingram Micro's website, online ordering systems, AI-powered Xvantage distribution platform, and Impulse licensing platform went offline, disrupting operations across the US, Europe, and Asia. The company confirmed detecting ransomware on July 6, engaged external cybersecurity experts, and restored full global operations by July 9 — approximately six days after the initial attack. SafePay listed Ingram Micro on its DLS with an August 1, 2025 deadline, claiming 3.5 TB of stolen data. The downstream impact extended to thousands of channel partners whose ordering workflows depended on Ingram Micro's platform. In January 2026, Ingram Micro confirmed a data breach affecting 42,521 employees and applicants — disclosing that data exfiltrated between July 2–3 included names, contact information, dates of birth, Social Security numbers, driver's license numbers, passport numbers, and employment-related information. Notifications to affected individuals began approximately six months after the breach.

German Coordinated Campaign March–April 2025

In March and April 2025, security researchers documented what appeared to be coordinated 24-hour targeting campaigns by SafePay specifically against Germany-based organizations across multiple sectors. The concentration of German victims in compressed time windows — suggesting deliberate geographic campaign planning — is notable because it contrasts with the purely opportunistic scanning model typical of credential-based initial access groups. Germany is SafePay's second-most targeted country by disclosed victim count after the United States.

Tools & Malware

SafePay encryptor (PE32 DLL): Custom-developed ransomware with significant code overlap with LockBit 3.0 (LockBit Black), plus elements resembling ALPHV/BlackCat and INC ransomware (AttackIQ, ProvenData). The binary is a DLL requiring regsvr32.exe or rundll32.dll for execution. Critically requires a mandatory -pass= command-line argument to decrypt internal strings at startup — a sandbox evasion design that prevents automated detonation without the correct password. Strings and import function names stored entirely in encrypted format; library names and function addresses resolved dynamically at runtime via LoadLibrary and GetProcAddress. Encryption: early samples use ChaCha20 (Huntress, 2024); Acronis TRU analysis confirmed AES+RSA in analysed builds — both observations may reflect different sample versions. Fake compilation timestamp. UPX-compressed in some builds. Per-victim mutex for single-instance enforcement. Encrypted files carry .safepay extension. Drops readme_safepay.txt ransom note. Hardcoded encrypted kill list for services and processes. Early builds contained Cyrillic language kill-switch; removed in later versions. ESXi targeting documented (Red Sense assessment of Conti-heritage operators).
ShareFinder.ps1: Open-source PowerShell script (Invoke-ShareFinder from Veil-PowerView) used for SMB share enumeration immediately post-access. Maps the accessible network and feeds share paths to the encryption process. Previously documented in Emotet and Conti (C0015 campaign) operations — a well-known LOTL tool with a detectable behavioral signature.
WinRAR / 7-Zip: Data archiving tools used to package files for exfiltration. Command-line arguments are uncommon in legitimate user WinRAR behavior, making the execution pattern detectable via Sigma rules. Both tools are installed and uninstalled per session.
FileZilla: FTP client used for data exfiltration to SafePay-controlled servers. Installed and uninstalled alongside WinRAR in the same session cycle. The repeated install-use-uninstall behavior is itself a behavioral detection indicator.
Rclone: Cloud sync tool used as an alternative exfiltration channel to C2 infrastructure.
NETSCAN: Network scanning tool documented by Google Cloud / Mandiant in a 2025 SafePay incident, staged across multiple hosts via SMB alongside ShareFinder.ps1. Provides broader network topology discovery beyond SMB share enumeration — identifying live hosts, services, and open ports for lateral movement planning.
Shodan / Apollo: OSINT tools used in the reconnaissance phase — Shodan for identifying exposed VPN and RDP endpoints, Apollo for mapping employee names and email patterns to construct targeted password spray wordlists.
TON (The Open Network) site: SafePay is one of the few ransomware groups maintaining a presence on TON — Telegram's decentralized internet — as a secondary ransom communication channel alongside the standard Tor DLS. The TON site link appears in the readme_safepay.txt ransom note.
systemsettingsadminflows.exe: Legitimate Windows binary abused to disable Windows Defender settings via the Settings GUI, making the action appear as a user-initiated configuration change rather than a malicious process.

Indicators of Compromise

IOCs sourced from Huntress incident analysis (November 2024), ThreatLocker Intelligence (November 2025), Acronis TRU, and Bitdefender. No government advisory has been issued for SafePay as of March 2026. The Huntress blog post at huntress.com/blog/its-not-safe-to-pay-safepay includes full file hashes and Sigma detection rules for the toolchain.

indicators of compromise — SafePay (structural and behavioral)

file ext .safepay — appended to all encrypted files

ransom note readme_safepay.txt — dropped per directory; begins "Greetings! Your corporate network was attacked by SafePay team"; includes Tor DLS link and TON site link

behavior ShareFinder.ps1 (Invoke-ShareFinder) execution — SMB share enumeration immediately post-access; presence in temp directories or admin shares is a high-confidence indicator

behavior DLLHost.exe invoking CMSTPLUA COM object — UAC bypass shared with LockBit and ALPHV; reliable detection signal for SafePay privilege escalation

behavior systemsettingsadminflows.exe disabling Defender settings — LOTL AV evasion; alert on Defender configuration changes via this binary outside approved change management

tool pattern WinRAR / FileZilla install-use-uninstall cycle — repeated across sessions; WinRAR CLI arguments with large archive creation from sensitive paths; FileZilla execution outside approved software list

behavior bcdedit /set {default} recoveryenabled No — disables Windows Recovery; alert on bcdedit modifications outside approved change management windows alongside wmic shadowcopy delete

behavior Bulk administrator password changes prior to encryption — SafePay locks victims out of their own infrastructure before deploying the encryptor; alert on mass password resets across privileged accounts in compressed timeframes

social eng Microsoft Teams calls from unrecognized accounts claiming to be IT/vendors + Quick Assist remote access request — Conti-heritage initial access technique; train help desk and employees to reject unsolicited Quick Assist sessions regardless of caller identity

behavior wmic shadowcopy delete — VSS removal immediately before encryption; alert as P0 incident requiring immediate IR engagement

hashes Full sample hashes and Sigma detection rules: Huntress blog — huntress.com/blog/its-not-safe-to-pay-safepay (November 2024); ThreatLocker blog — threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies (November 2025)

Mitigation & Defense

SafePay's attack chain has a narrow but accessible detection window — the gap between initial VPN access and encryption completion. The 24-hour attack timeline means response must be fast; the consistent TTP pattern means behavioral detections are reliable.

Train staff to reject unsolicited Microsoft Teams / Quick Assist requests: Red Sense documented a Conti-heritage social engineering chain in which SafePay spam-floods the victim, then calls posing as IT department via Microsoft Teams offering to "resolve" the spam issue — requesting Quick Assist remote access. This technique bypasses all VPN and MFA controls. Train every employee — and especially help desk staff — that legitimate internal IT teams will never request Quick Assist or equivalent remote control during an unsolicited outreach. Implement a callback verification procedure: if receiving an unexpected IT call, hang up and call the IT department back using an independently verified number before granting any access.
Know SafePay's sanctions sensitivity before negotiating: Red Sense intelligence assessed SafePay as "very risk-averse when it comes to sanctions" — willing to drop ransom demands significantly (to $100,000–$300,000) when victims credibly communicate that paying would create sanctions liability. If your organisation operates in a sanctions-sensitive sector or has been designated in any sanctions program, document this clearly and communicate it in any negotiation. This is one of the few documented pressure points against SafePay's financial model.
Harden VPN and RDP credential security: SafePay's primary initial access path is valid credentials on exposed VPN gateways or RDP endpoints — obtained through stealware, dark web purchase, or targeted password spraying. Enforce MFA on all VPN and RDP access. Monitor for authentication anomalies including off-hours logins, new device access, and credential use from unexpected geographies. Credential monitoring services that alert on enterprise email addresses appearing in breach data provide early warning before SafePay actors can use those credentials.
Alert on ShareFinder.ps1 execution: SafePay consistently runs ShareFinder.ps1 immediately post-access. The presence of this script in temp directories or admin shares — or execution of Invoke-ShareFinder commands — is a high-confidence pre-encryption indicator. Huntress published Sigma rules for detecting this behavior patterns; implement them in your SIEM. At the volume SafePay operates, this behavioral signature is one of the most reliable early detections available.
Monitor for CMSTPLUA COM invocation by DLLHost.exe: SafePay's UAC bypass via CMSTPLUA is shared with LockBit and ALPHV and is a well-documented detection opportunity. DLLHost.exe invoking CMSTPLUA COM objects outside standard system activity should trigger an immediate alert. This fires before Windows Defender is disabled and before encryption begins — making it one of the earliest high-confidence signals available.
Alert on WinRAR and FileZilla outside approved software inventory: SafePay consistently uses WinRAR and FileZilla for data staging and exfiltration, installing and uninstalling them per session. Both tools executing on systems where they are not in the approved software allowlist — especially with large archive creation or FTP upload activity — should trigger immediate investigation. The install-use-uninstall cycle itself is a detectable behavioral pattern even without the tools being flagged as malicious.
Treat wmic shadowcopy delete as a P0 event: VSS shadow copy deletion immediately precedes encryption in SafePay operations. Any invocation of wmic shadowcopy delete or vssadmin delete shadows outside an approved backup maintenance window should be escalated immediately — not queued for review. This event fires within minutes of encryption starting; IR response in this window can still prevent or contain encryption.
Assess MSP and IT distributor risk in your supply chain: SafePay explicitly targets MSPs and IT distributors as high-leverage upstream access points. If your organization relies on an MSP for management or an IT distributor for software licensing and procurement, that vendor's compromise is a risk to your environment. Include MSP and key vendor security assessments in your third-party risk program. Ensure your MSP's access to your environment uses MFA and follows least-privilege principles — compromised MSP credentials with broad access to client environments are a SafePay preferred entry point.
Implement network segmentation for SMB shares: ShareFinder.ps1 maps accessible SMB shares across the domain, feeding the encryption process. Minimizing which systems can reach which SMB shares — through proper network segmentation and access controls — limits what SafePay can enumerate and encrypt once inside. Domain-joined systems should not have unrestricted SMB access to each other without a legitimate business requirement documented in your access control policy.

24-hour window — speed matters

SafePay completes the full attack chain — initial access to encryption — in under 24 hours in documented incidents. The Huntress-analyzed cases show the encryption phase itself beginning within 15 minutes of the operator reconnecting via RDP for the final stage. This timeline leaves no room for manual triage processes or next-business-day response. Organizations in SafePay's target profile should have automated alerts for the behavioral signals above configured to trigger 24/7 escalation, not business-hours review queues.

Sources & Further Reading

— end of profile — last updated 2026-03-26