A new ransomware threat has emerged as one of the most aggressive cybercriminal operations of 2025, with SafePay ransomware claiming responsibility for over 265 successful attacks spanning multiple continents.The group, which first appeared in September 2024 with limited activity targeting just over 20 victims, has dramatically escalated its operations since early 2025, establishing itself as a formidable force in the global ransomware landscape.Unlike traditional ransomware-as-a-service operations that rely on affiliate networks, [SafePay](https://cybersecuritynews.com/safepay-ransomware-leverages-rdp-and-vpn/) operates as a centralized threat actor, conducting attacks directly through their own infrastructure and personnel. %20(Source%20-%20SOCRadar).webp) SafePay Ransomware’s data leak site (DLS) (Source — SOCRadar)This operational model has enabled the group to maintain tighter control over their campaigns while executing sophisticated double-extortion schemes that combine data encryption with threatened publication of stolen sensitive information on dark web leak sites.The geographic distribution of SafePay’s victims reveals a calculated targeting strategy focused primarily on developed economies.The United States bears the brunt of the attacks with 103 confirmed victims representing nearly 40% of all known cases, followed by Germany with 47 documented incidents.Additional targets span across the United Kingdom, Australia, Canada, and various countries throughout Latin America and Asia-Pacific regions.SOCRadar analysts [identified](https://socradar.io/dark-web-profile-safepay-ransomware/) that SafePay deliberately avoids targeting organizations within Commonwealth of Independent States countries through an embedded language detection mechanism.The malware contains hardcoded checks that cause immediate termination if the infected system is configured for Armenian, Azerbaijari, Belarusian, Georgian, Kazakh, Russian, or Ukrainian languages, suggesting the operators seek to avoid prosecution within these jurisdictions.The ransomware demonstrates particular effectiveness against manufacturing, technology, education, and business services sectors, though no industry appears immune to its reach.Healthcare, transportation, finance, and public services organizations have also fallen victim to the group’s operations, indicating an opportunistic rather than sector-specific targeting approach.**Advanced Persistence and Evasion Mechanisms**———————————————–SafePay’s technical sophistication becomes apparent through its multi-layered [persistence](https://cybersecuritynews.com/detecting-and-responding-to-new-nation-state-persistence-techniques/) and defense evasion strategies. .webp) Simplified Cyber Kill Chain diagram of SafePay Ransomware (Source — SOCRadar)The malware employs legitimate remote access tools such as ConnectWise ScreenConnect to maintain long-term network presence, installing these applications as persistent services that blend seamlessly with legitimate administrative activities.This approach significantly reduces the likelihood of detection by endpoint protection systems, particularly when attackers possess valid credentials for installation. The group’s defense evasion capabilities extend beyond simple antivirus bypass techniques.SafePay operators systematically disable [Microsoft Defender](https://cybersecuritynews.com/microsoft-defender-vulnerability-allows-attackers/) and other security solutions through administrative commands and Group Policy modifications, adding folder exclusions and disabling real-time protection features. .webp) Ransom note of SafePay Ransomware (Source — SOCRadar)The malware itself utilizes encrypted strings, dynamic loading, and sophisticated packing mechanisms to evade signature-based detection systems. # Example command used to disable Windows Defender Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableBehaviorMonitoring $true Add-MpPreference -ExclusionPath ‘C:-Windows-Temp’Registry persistence mechanisms ensure the [malware](https://cybersecuritynews.com/chatgpt-powered-malware-analysis/) survives system reboots and maintains access even after initial compromise vectors are discovered and remediated.The threat actors create startup entries and modify system configurations to guarantee their tools remain active, while simultaneously deploying custom backdoors like QDoor for additional command execution and network tunneling capabilities.**Integrate **ANY.RUN TI Lookup** with your SIEM or SOAR To Analyses Advanced Threats** –> **[Try 50 Free Trial Searches](https://intelligence.any.run/plans?utm_source=csn_jul&utm_medium=atricle&utm_campaign=want-to-detect-incidents-before&utm_content=plans1&utm_term=290725)**The post [SafePay Ransomware Infected 260+ Victims Across Multiple Countries](https://cybersecuritynews.com/safepay-ransomware-infected-260-victims/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 62 – Health Care And Social Assistance
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 522 – Credit Intermediation And Related Activities
NAICS: 51 – Information
Associated Indicators: