Threat Group Profile
safepay
โ Active โ last 30 days
Victim claims
65
First seen
Mar 2026
Last activity
06 Jul 2026
Tracked since
โ
Group overview
SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealing 1.2 TB of data.
Preferred targets
Consumer Services ยท 10
Business Services ยท 8
Manufacturing ยท 6
Technology ยท 5
Construction ยท 4
Transportation/Logistics ยท 4
Most targeted countries
DE ยท 25
US ยท 9
IT ยท 8
GB ยท 5
JP ยท 5
ES ยท 4
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Replication Through Removable Media
Drive-by Compromise
Exploit Public-Facing Application
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Phishing: Spearphishing Voice
Execution
Windows Management Instrumentation
Scheduled Task/Job: Scheduled Task
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: Visual Basic
Native API
Shared Modules
Persistence
Valid Accounts
Account Manipulation
Server Software Component: IIS Components
Pre-OS Boot: Bootkit
Create or Modify System Process: Windows Service
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution: Shortcut Modification
Privilege Escalation
Valid Accounts
Access Token Manipulation: Create Process with Token
Access Token Manipulation: Parent PID Spoofing
Defense Evasion
Rootkit
Obfuscated Files or Information
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Indicator Removal from Tools
Obfuscated Files or Information: Dynamic API Resolution
Obfuscated Files or Information: Embedded Payloads
Obfuscated Files or Information: Encrypted/Encoded File
Obfuscated Files or Information: Junk Code Insertion
Credential Access
OS Credential Dumping
OS Credential Dumping: NTDS
Input Capture
Input Capture: Keylogging
Brute Force: Password Spraying
Credentials from Password Stores
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning
Discovery
Application Window Discovery
Query Registry
System Network Configuration Discovery
System Owner/User Discovery
Network Service Discovery
System Network Connections Discovery
Process Discovery
System Information Discovery
Lateral Movement
Remote Services
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares
Remote Services: SSH
Replication Through Removable Media
Internal Spearphishing