By Alfaiz Nova, Cybersecurity Expert

Home
#1 threat actor 2025

SAFEPAY RANSOMWARE SURGE: 265+ Victims, Now #1 Threat Actor Globally

SafePay is now the #1 ransomware threat, with 265+ victims globally. This report covers their fake IT call scams and centralized operations.

With over 265 victims, SafePay ransomware is now the #1 global threat. Learn about their fake IT call scams, geographic targeting, and unique centralized operations model.

 

A highly organized and aggressive ransomware group known as SafePay has surged to become the #1 global ransomware threat actor in 2025, claiming over 265 victims across multiple continents since its emergence in late 2024. Surpassing established groups like LockBit and ALPHV, SafePay has distinguished itself through a unique, centralized operational model and a sophisticated blend of technical skill and social engineering.

Rise of SafePay: From 20 Victims to Global Domination in 8 Months

First observed in September 2024, SafePay has demonstrated explosive growth. Starting with just over 20 victims in its first year, the group quickly escalated its operations, becoming the most active ransomware group by May 2025 with 70 attacks in that month alone. Its victim list now includes major corporations like global IT distributor Ingram Micro and UK telematics firm Microlise, disrupting supply chains and critical services.crn+1

Unlike many other top-tier groups that operate on a Ransomware-as-a-Service (RaaS) model (selling their malware to affiliates), SafePay appears to be a centrally controlled and managed operation. This allows them to maintain a high level of quality control and operational security, making them a more disciplined and formidable adversary. While its code shares similarities with the leaked LockBit 3.0 builder, SafePay has evolved into a unique and highly efficient threat.acronis

The Fake IT Call Scam: SafePay's Social Engineering Playbook

One of SafePay's most effective and alarming tactics is its use of social engineering, specifically fake IT support calls. The group's attack chain often involves :barracuda

  1. Initial Breach: Gaining access to a network, often through stolen VPN credentials.

  2. Vishing (Voice Phishing): After gaining initial access, the attackers will call employees, posing as internal IT support. They use their existing access to the network to appear legitimate and trick the employee into revealing further credentials or disabling security software.

  3. Spam/Email Bombs: To create a sense of chaos and urgency, the attackers will often launch "email bomb" campaigns, flooding an employee's inbox with thousands of subscription confirmation emails while they are on the phone with them. This distraction makes it harder for the employee to notice legitimate security alerts from their actual IT department.

This combination of technical intrusion and psychological manipulation has proven highly effective at bypassing security controls and gaining deeper access to victim networks.

Geographic Targeting Strategy: Why SafePay Avoids Russia

SafePay's attacks have a clear geographical focus. The United States is the hardest-hit country with 103 victims (nearly 40% of the total), followed by Germany with 47 victims. The United Kingdom is also a primary target.checkpoint+1

However, the ransomware's code includes a notable self-protection mechanism: it checks the system's language and will terminate itself if it detects that the language is set to Russian or another language from the Commonwealth of Independent States (CIS). This is a common tactic among Russian-speaking cybercriminal groups to avoid prosecution in their home countries, and it provides a strong clue as to the group's likely origin.acronis

Double Extortion 2.0: How SafePay Pressures Victims

SafePay employs a classic double-extortion strategy, but with added psychological pressure.

  • Data Exfiltration: Before encrypting any files, the group steals large volumes of sensitive data.

  • High-Pressure Tactics: They set very short ransom deadlines (often less than 24 hours) and communicate with victims through The Open Network (TON) for added anonymity. They threaten to leak the stolen data on their Tor-based leak site if the ransom is not paid.quorumcyber+1

This leaves victims in an impossible position, facing both the loss of access to their systems and the public exposure of their confidential information.

Critical Sectors Under Attack: Healthcare, Finance, Legal

SafePay has shown no hesitation in targeting critical sectors. Victims have included healthcare providers (like a pathology lab that exposed data for over 200,000 patients), financial institutions, and legal firms. This willingness to attack sensitive and essential services demonstrates the group's ruthlessness and purely financial motivation.crn

With its centralized command, sophisticated social engineering, and aggressive tactics, SafePay has not only filled the void left by the decline of LockBit and ALPHV but has established itself as the new king of the ransomware world.

more alfaiznova.com

Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...
-->