{
	"id": "977bb447-24b4-48b8-b268-3c448ea80508",
	"created_at": "2026-05-09T02:03:24.810103Z",
	"updated_at": "2026-05-09T02:03:42.94354Z",
	"deleted_at": null,
	"sha1_hash": "1bcfaf3f0e8266352910d4f8e29950fe5bbf7faa",
	"title": "SafePay ransomware explained: IOCs, TTPs, and defense strategies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49430,
	"plain_text": "SafePay ransomware explained: IOCs, TTPs, and defense\r\nstrategies\r\nBy Rayton Li and John Moutos, ThreatLocker Threat Intelligence\r\nPublished: 2025-07-31 · Archived: 2026-05-09 02:01:25 UTC\r\nObserving SafePay ransomware, ThreatLocker® Intelligence has seen Mutexes being created to prevent additional\r\ncopies of the ransomware running on already affected/encrypted devices. Typically, a different Mutex would be\r\nused for each victim. The switch to a more aggressive approach to choosing targets may be partially due to all the\r\ncoverage of the Ingram Micro breach and the likely growing intensity of law enforcement pressure.\r\nSafePay ransomware overview\r\nSafePay is a ransomware group that was discovered by security vendors sometime in November 2024 and has\r\nsince made international headlines as the group has threatened to release over 3.5 TB of internal data from Ingram\r\nMicro, a US based information technology product and service distributor. The group has quickly become among\r\nthe most prolific, with over two hundred organizations claimed on its Tor data leak website.\r\nThe group primarily targets organizations in the United States, Germany, the United Kingdom, Australia, Canada,\r\nand a few other countries. SafePay does not intentionally target organizations that are either current or former\r\nmembers of the Commonwealth of Independant States (CIS), which may indicate the group originates or resides\r\nin Eastern Europe or Asia.\r\nTactics, techniques, and procedures (TTP)\r\nInitial access\r\nThe primary initial access vector for SafePay operators is through vulnerabilities in edge devices, such as VPN\r\ngateways, firewalls, and Remote Desktop Gateway servers. Another common tactic for accessing an organization\r\ninvolves obtaining leaked credentials through phishing, initial access brokers, or public credential dumps.\r\nDiscovery\r\nOnce the SafePay operators have obtained initial access to an environment, they immediately enumerate the\r\nnetwork, SMB shares, and any other assets that can be accessed. Based on observed activity, SafePay consistently\r\nleverages ShareFinder.ps1 from the PowerTools collection.\r\nLateral movement\r\nLiving-off-the-land utilities such as PSExec, WinRM, RDP, and RMM software are the primary means of\r\nnavigating an organization’s network.\r\nhttps://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies\r\nPage 1 of 4\n\nDefense evasion\r\nCommonly observed by ransomware groups, SafePay will attempt to disrupt security services, eliminate backup\r\nsoftware, and halt the Volume Shadow Copy service. SafePay will also perform privilege escalation through token\r\nimpersonation if needed.\r\nExfiltration\r\nSafePay is known to use the following applications for exfiltrating data: WinRAR, 7-Zip, Rclone, FileZilla, and\r\nthe RDP clipboard.\r\nImpact\r\nOnce the Shadow Copy service is stopped, shadow copies and any third-party backups are silently deleted. This\r\nseverely limits recovery options for affected organizations, forcing them to resort to offline backups which may be\r\noutdated or untested.\r\nThis group is known to utilize the double-extortion scheme, where organizations must pay for the decryption tool\r\nand then must pay to have their data removed from SafePay servers. Because of this, it is highly advised that\r\norganizations do not make any ransom payments.\r\nKnown ransomware samples\r\nOne of the easiest samples associated with SafePay had a language check kill-switch for any Cyrillic languages.\r\nThis could indicate that an Eastern European state sponsor may have backed SafePay. The language check was\r\nremoved in later samples of SafePay. Early samples exhibit numerous similarities to the leaked LockBit Black,\r\nand Hive ransomware. Despite inspiration from other groups, the encryptor SafePay leverages is likely developed\r\nindependently.\r\nSHA-256 Hashes\r\nA0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526\r\nfd509df74a8d6a9e96762337efd46280ebf8d154c6c5dfbac7b3e8f7bb61f191\r\n625abbf876f256662f33a88c122bf787edf74b882c35adbd61562b5bd1b2ac27\r\n921df888aaabcd828a3723f4c9f5fe8b8379c6b7067d16b2ea10152300417eae\r\n22df7d07369d206f8d5d02cf6d365e39dd9f3b5c454a8833d0017f4cf9c35177\r\n327b8b61eb446cc4f710771e44484f62b804ae3d262b57a56575053e2df67917\r\n12139246b8c5232d6d074df37acddc20f0bc233e42ed8eb00dfe2af5d3de3275\r\n241c3b02a8e7d5a2b9c99574c28200df2a0f8c8bd7ba4d262e6aa8ed1211ba1f\r\n654c11935448b3229434ec7d9d165a5f135ae4735d35700cffcb3b84f6a0fbc3\r\nhttps://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies\r\nPage 2 of 4\n\n961346470d15d7795c5e35bc90c17d293fba7a8b811f8f5c26a3dc7c971cdc4e\r\nMutexes\r\nGlobal\\DB1D-19B4-5094-D570-9841-E4BC-8ABD-29AA-03BB-84AD-C61B-1355-4FF2-194B-96BD-7E49  \r\nGlobal\\347F-7B6B-6AFB-3C55-2602-369D-65B9-58A0-16F1-0F42-35DA-0B37-52C3-293C-8975-\r\nCAB4  \r\nGlobal\\622D-BA6A-4BE9-5D15-5C84-898C-1760-4BAF-2BB1-D7D1-389D-6C01-AAFC-1645-BB6E-DC88  \r\nGlobal\\A8D1-50A2-679B-3D55-D639-9810-8679-7409-02EC-EF50-EA87-5641-0086-74B7-A14E-EE4C\r\nHow ThreatLocker can help\r\nApplication Allowlisting\r\nThreatLocker Application Allowlisting can block applications that are not explicitly permitted by ThreatLocker or\r\nlearned during the learning process, such as unauthorized Remote Management and Management applications.  \r\nAdditional explicit deny policies can be created to prevent the usage of high-risk applications, such as MSBuild,\r\nor PSExec.\r\nFor applications that are high-risk, but are required by business processes, permit policies with Ringfencing™ can\r\nbe utilized to restrict what resources applications can interact with, such as certain files, internet access, the\r\nregistry, or executing other applications.\r\nNetwork Control\r\nThreatLocker can limit ransomware operators from accessing your organization network by utilizing Network\r\nControl to block non-ThreatLocker monitored devices from accessing resources such as Remote Desktop,\r\nWindows Remote Management shell, and PSexec from the edge VPN or firewall.\r\nDetect and MDR\r\nThreatLocker Detect can detect and alert your organization or the ThreatLocker MDR team to possible\r\nransomware operators' tactics and procedures, including installing ransomware tools, attempting to disable\r\nsecurity services, deleting shadow copies, and performing data exfiltration.\r\nWant to learn how ThreatLocker protects environments?\r\nSchedule a demo to see how a prevention-first approach can lock down your most valuable assets\r\nhttps://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies\r\nPage 3 of 4\n\nSource: https://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies\r\nhttps://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatlocker.com/blog/safepay-ransomware-explained-iocs-ttps-and-defense-strategies"
	],
	"report_names": [
		"safepay-ransomware-explained-iocs-ttps-and-defense-strategies"
	],
	"threat_actors": [],
	"ts_created_at": 1778292204,
	"ts_updated_at": 1778292222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bcfaf3f0e8266352910d4f8e29950fe5bbf7faa.pdf",
		"text": "https://archive.orkl.eu/1bcfaf3f0e8266352910d4f8e29950fe5bbf7faa.txt",
		"img": "https://archive.orkl.eu/1bcfaf3f0e8266352910d4f8e29950fe5bbf7faa.jpg"
	}
}