SafePay Ransomware: LockBit’s Lonewolf Ghost

Overview

SafePay emerged in October 2024 as a centralized, double-extortion ransomware group built from LockBit-derived code. Operating without affiliates, it rapidly gained traction by targeting SMEs, MSPs, and regional enterprises in the U.S., Germany, and the U.K. SafePay’s campaigns are characterized by stealthy infiltration via compromised VPN credentials, RDP abuse, and the use of living-off-the-land techniques to avoid detection. The group maintains a private leak site and avoids high-profile marketing often seen in RaaS groups.
(Source: Strand Intelligence)

Known Aliases

SafePay (no alternate branding or public affiliate infrastructure observed)

Country of Origin

Indicators suggest a Russian-aligned origin, with Cyrillic keyboard kill-switch functions embedded in the malware.
(Source: Bitdefender Threat Debrief – June 2025)

Notable Attacks / Victims

• Ingram Micro (July 2025)
  U.S.-based IT distribution giant compromised via stolen RDP credentials. Data encryption confirmed using SafePay payload with .safepay extension.
• Microlise (October 2024)
  U.K. logistics tech firm suffered ransomware and exfiltration of over 1.2 TB of sensitive data within a day.
• Brighton Australia (March 2025)
  Construction firm reported as breached, with over 160 GB of internal project data leaked on SafePay’s dark web site.
• Starkville School District (December 2024)
  U.S. school district appeared on SafePay’s leak site, indicating ransomware deployment and potential data theft.
• Greyform (January 2025)
  Singapore-based precast concrete manufacturer suffered a confirmed breach with customer and architectural data posted.
• Multico Asia, Westwood CC, ActiveCosmetic (Nov–Dec 2024)
  Multiple SME websites in APAC and EMEA regions compromised. Encryption and ransom notes attributed to SafePay.

MITRE ATT&CK Tactics and Techniques

(Source: Ransomware.live)

Malware Strains Used

SafePay Ransomware

• Appends .safepay extension to encrypted files
• Drops ransom note titled readme_safepay.txt
• Offers CLI switches for obfuscation (-uac, -enc=, -log)
• Employs ChaCha20 + RSA encryption model similar to LockBit 3.0
• Contains kill-switch for Cyrillic locales
  (Source: Check Point)

Common Infiltration Methods

• Compromised VPN and RDP credentials for direct access
• Phishing emails and fake IT support calls via Teams or VoIP
• PowerShell, WinRAR, and WMI-based scripts for stealth lateral movement
• Remote management tools (e.g., AnyDesk, Splashtop)
• Use of WinRAR to compress >5 GB data for exfiltration via FileZilla, MEGASync
• Shadow volume deletion and Defender bypass during encryption phase
  (Source: Strand Intelligence)

Business Model & Infrastructure

• Operates without affiliates; full control model similar to pre-2021 Conti
• No advertising or recruitment on dark forums
• Maintains a private .onion leak site for publishing stolen data
• Evidence of integration with TON blockchain for anonymous transactions
  (Source: SecurityOnline.info, Huntress)

Summary and Recommendations

SafePay has emerged as one of the most dangerous ransomware operators of 2025, particularly due to its speed, centralized model, and refined exploitation of remote access technologies. Its lack of public affiliate relationships has made tracking harder, and its selective targeting of SMEs and MSPs bypasses traditional big-enterprise defenses.

Recommendations:

• Enforce MFA on all RDP/VPN connections
• Monitor for execution of unsigned WinRAR or PowerShell scripts
• Block connections to known leak site infrastructure
• Use behavioral detection rules for abnormal shadow copy deletion and archive creation
• Apply EDR alerts for unauthorized registry changes and UAC bypass methods