Inside SafePay: The fast moving, centrally run ransomware crew reshaping double extortion playbooks Industry: Cybersecurity, Managed Services, Enterprise IT

SafePay has become one of the more closely watched ransomware names to emerge in the last 18 months, not because it invented a brand new technique, but because it operationalised familiar ones with discipline. Research from Picus Labs describes a crew that behaves less like a typical ransomware as a service marketplace and more like a closed, centrally managed operation: fewer moving parts, tighter control over infrastructure and negotiation, and less exposure to affiliate mistakes and leaks.

That structure matters. When a ransomware operation is run as a franchise model, defenders often see variation in tradecraft from one intrusion to the next. With SafePay, reported intrusions look more consistent, and in multiple write ups the window from initial access to encryption can be as short as a day. Picus notes that the group often moves from entry to impact within 24 hours, compressing the time defenders have to spot abnormal access patterns before the encryptor runs.

A centralised crew, not a typical RaaS

Picus describes SafePay as a closed group that keeps control of operations, negotiation and profit distribution rather than outsourcing scale to affiliates. Acronis Threat Research Unit reaches a similar conclusion and ties the model to what defenders are seeing in the field: repeatable intrusion steps, repeated use of the same administrative tooling, and consistent effort to disable protections and inhibit recovery.

Acronis also reports that SafePay accelerated sharply in early 2025, claiming more than 200 victims worldwide in Q1 alone, including managed service providers and small to mid sized businesses. That pace matters because MSP compromise can create downstream blast radius, where tooling and access designed for support becomes the attacker’s shortcut into multiple environments.

How SafePay gets in

SafePay’s entry point is frequently not a novel exploit chain. Instead, reports emphasise credential led access: compromised usernames and passwords obtained via brokers, brute force, or reuse, then applied against RDP, VPN gateways, and other edge services. Picus also flags misconfigured firewall deployments as a recurring weakness, including scenarios where local authentication remains enabled without multi factor authentication on edge devices.

Once inside, the intrusion often shifts quickly into persistence and operator convenience. Picus notes the use of backdoors such as QDoor in some investigations, and also the use of legitimate remote access tooling like ScreenConnect. Check Point’s coverage of SafePay similarly describes a multi stage approach that can begin with Remote Desktop access and then expand through privilege escalation, UAC bypass, and network propagation features.

Discovery and lateral movement

The operational pattern is familiar to most incident responders: map the network, identify high value servers and shared storage, then spread using administrative protocols that look normal in many Windows estates. Picus highlights ShareFinder.ps1, specifically Invoke-ShareFinder, to enumerate network shares, and then movement via PsExec and WinRM for remote command execution.

Picus even provides a representative PsExec pattern used for remote execution, showing how quickly the crew can jump from one machine to the next when they have admin credentials. For many organisations, that is the uncomfortable point: the traffic can resemble legitimate IT operations unless you are correlating identity signals, host telemetry and unusual timing.

Defense evasion comes first: processes, services, and recovery sabotage

Before encryption, SafePay prioritises making security tools and business applications get out of the way. Picus reports that the malware carries a hardcoded, encrypted list of processes and services it attempts to terminate, spanning databases, office apps, backup tooling and endpoint security. Acronis provides a longer list in sample analysis, including process names such as sql, oracle, ocssd, excel, outlook, winword, onedrive and others, alongside services tied to shadow copies, Exchange, Sophos, and Veeam.

Then comes recovery suppression. Picus lists the classic, highly effective commands used to remove Volume Shadow Copies and weaken Windows recovery behaviour, including vssadmin delete shadows and wmic shadowcopy delete, alongside bcdedit changes that disable recovery and ignore boot failure prompts. It is not complicated, but it is ruthlessly practical: if you cannot roll back, pressure rises during extortion.

Exfiltration: archiving at scale before the encryptor runs

SafePay’s extortion model depends on theft as much as encryption. Picus notes that operators stage and archive data first, focusing on business documents and avoiding system files, then move the archives out using commodity tooling. Both Picus and Acronis cite WinRAR for archiving and tools such as FileZilla, Rclone, and 7 Zip in the exfiltration workflow.

One detail stands out because it reveals operator intent. The WinRAR command line shown in Picus research uses volume splitting with -v5g, indicating 5GB archive chunks, and an extensive exclusion list that skips media and bulky formats. This is optimisation in plain sight: reduce transfer time, keep the loot high value, and avoid wasting bandwidth on files that do not help leverage.

Execution and encryption mechanics

On the host, the encryptor is often delivered as a Windows PE32 DLL. Picus describes execution through common Windows utilities such as regsvr32.exe or rundll32.exe, a technique that blends into legitimate DLL execution patterns and can complicate quick triage if endpoint visibility is weak.

The malware is also picky about how it is launched. Picus notes a mandatory password flag, with the password used to decode additional embedded information. Acronis goes deeper and says the password component must be 32 bytes long. In practice, this suggests operational controls that reduce accidental detonation and may help the group maintain consistent behaviour across engagements.

Encryption itself is designed for speed. Picus describes a hybrid scheme where files are encrypted using AES or ChaCha20, and per file keys are then protected using RSA or x25519 before being appended to the file footer. It also notes intermittent block encryption to accelerate impact, and a characteristic rename to the .safepay extension.

There is also a geopolitical safety check. Picus reports a kill switch style check where the malware exits if it detects Cyrillic related keyboard layouts. Acronis lists multiple language identifiers used in this avoidance logic, including Russian, Ukrainian and Belarusian, reinforcing the common pattern in ransomware ecosystems of avoiding certain regions.

Indicators of compromise and hunting pivots

The Picus analysis is not a simple list of hashes, but it contains practical pivots defenders can hunt for across endpoints, identity logs and network telemetry. Combined with Acronis sample analysis, the following are high signal indicators and behaviours often associated with SafePay intrusions.

• File extension after encryption: .safepay
• Ransomware execution patterns: DLL execution via regsvr32.exe or rundll32.exe
• Mandatory execution flags: -pass= (32 byte password reported), -enc= (1 to 9, multiplied by 10 for percentage), -network, -selfdelete
• Share discovery: ShareFinder.ps1 and Invoke-ShareFinder usage
• Lateral movement utilities: PsExec and WinRM usage in close succession across multiple hosts
• Recovery inhibition commands: vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit recovery modifications
• Process and service termination activity: bulk termination attempts affecting databases, Office apps, backup tooling and security products (Picus and Acronis both describe hardcoded target lists)
• Staging and archiving: WinRAR volume splitting with -v5g and extensive exclusion lists, followed by exfil tooling such as FileZilla or Rclone
• Persistence indicator from sample analysis: creation of a Run key entry under Software\Microsoft\Windows\CurrentVersion\Run containing the original execution command line and arguments
• Regional avoidance behaviour: exit if certain Cyrillic keyboard or language settings are detected

Why defenders keep running into the same blind spots

SafePay’s playbook works because many environments still treat identity and remote access as perimeter controls rather than continuous risk signals. When an attacker logs in using a real admin account over RDP or a VPN session, traditional malware based controls can miss the early stages entirely, especially if the operator relies heavily on built in Windows tooling.

The fastest improvements tend to be unglamorous: enforce MFA for all remote access including local firewall auth paths, reduce standing admin privileges, lock down lateral movement paths such as PsExec and WinRM, and treat sudden bursts of share discovery as an incident until proven otherwise. If you do not routinely test those controls, Picus notes that SafePay is already modelled in its threat library as “SafePay Ransomware Campaign” under Threat ID 25266, reflecting how quickly defenders are moving from passive intelligence to validation and simulation.

For deeper technical detail, including the full analysis context used in this article, see Picus Labs’ write up: Inside SafePay: Analyzing the New Centralized Ransomware Group.