{ "id": "9ab8a123-c066-4b90-8f66-b5e87e93c336", "created_at": "2026-04-06T00:22:22.159529Z", "updated_at": "2026-04-10T03:32:24.76221Z", "deleted_at": null, "sha1_hash": "30e589fca69eed4305c7bff1a8259101cc2f0c73", "title": "SafePay ransomware: The fast-rising threat targeting MSPs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63885, "plain_text": "SafePay ransomware: The fast-rising threat targeting MSPs\r\nArchived: 2026-04-06 00:03:32 UTC\r\nSummary\r\n In Q1 2025, one ransomware group surged rapidly from obscurity to become one of the most active and\r\ndangerous actors on the global threat landscape: SafePay. It has quietly and aggressively built momentum,\r\nstriking over 200 victims worldwide, including managed service providers (MSPs) and small-to-midsize\r\nbusinesses (SMBs) across industries.\r\nAcronis Threat Research Unit (TRU) analyzed several SafePay samples and confirmed the group’s use of\r\nrecycled — but highly efficient — tactics, including disabling endpoint protection, deleting shadow copies\r\nand clearing logs to suppress detection and response.\r\nUnlike many ransomware groups that rely on affiliates in a ransomware-as-a-service (RaaS) model,\r\nSafePay appears to operate with centralized control, managing its own operations, infrastructure and\r\nnegotiations.\r\nThe group uses classic but effective techniques: RDP- and VPN-based intrusion, credential theft, privilege\r\nescalation and living-off-the-land binaries to quietly move through victim networks, exfiltrate sensitive\r\ndata and then encrypt files.\r\nMost recently, SafePay was linked to the ransomware attack that disrupted Ingram Micro, a global\r\ndistributor serving thousands of partners and MSPs.\r\nSafePay ransomware: A LockBit spinoff?\r\nSafePay first appeared in 2024. In its first year of operations, it claimed more than 20 victims. While it is\r\nunknown if SafePay is a new player or a rebrand of an old one, their samples share a lot of similarities with the\r\nLockBit ransomware family, a well-known ransomware builder. In 2022, their LockBit 3.0 builder source code\r\nwas leaked. After the leak, a variety of new ransomware appeared. The 3.0 version of the builder is also known as\r\nLockBit Black because it shares a lot of similarities with BlackByte ransomware.\r\nThe SafePay ransomware sample analyzed by TRU is PE32 DLL, with a fake compilation timestamp.\r\nThe first similarity with LockBit is a dummy function that has several sequential Windows API calls. Writing calls\r\nin that way is nonsensical because there are no arguments passed to those functions, which will cause errors. In\r\nfact, in both cases, those functions will never be called, as execution will be terminated before the sample can\r\nenter this section.\r\n Other similarities with LockBit:\r\nRequires password for full execution.\r\nAll strings are encoded.\r\nAll WinAPI addresses are resolved during execution.\r\nSame system languages avoidance.\r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 1 of 7\n\nCMSTPLUA COM interface abuse for privilege escalation.\r\nCreated threads have ‘ThreadHideFromDebugger’ flag.\r\nThe list of processes and services that must be terminated.\r\nWhile the sample is not a complete copy of LockBit 3.0 and has some differences, it is common for threat actors\r\nto change the source code to make its malware more unique, and more importantly, to add new features and\r\nimprove detection avoidance.\r\nDelivery and exfiltration\r\nSafePay ransomware was delivered to the victims using RDP connections. While it is unknown how threat actors\r\ngot credentials, the technique enabled them to disable Windows Defender and upload files to the C2 server before\r\nencrypting them. Before exfiltrating files, attackers executed ‘ShareFinder.ps1’ script, which finds all available\r\nnetwork shares in the local domain. It was taken from open source project:\r\nhttps://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1\r\nThis script finds network shares on hosts in the local domain. It was previously spotted in Emotet attacks, as well\r\nas during the C0015 campaign, which was used to deploy Conti ransomware.\r\nTo collect files on the system, the WinRar program was used with following command:\r\n  WinRAR.exe  a -v5g -ed -r -tn1000d -m0 -mt5 -x*.rar -x*.JPEG -x*.RAW -x*.PSD -x*.TIFF -x*.BMP -x*.GIF -\r\nx*.JPG -x*.MOV -x*.pst -x*.FIT -x*.FIL -x*.mp4 -x*.avi -x*.mov -x*.mdb -x*.iso -x*.exe -x*.dll -x*.bak -\r\nx*.msg -x*.png -x*.zip -x*.ai -x*.7z -x*.DPM -x*.log -x*.dxf -x*.insp -x*.upd -x*.db -x*.dwg -x*.nc1 -\r\nx*.metadata -x*.dg -x*.inp -x*.dat -x*.TIFF -x*.tiger -x*.pcp -x*.rvt -x*.rws -x*.nwc -x*.tif -x*.frx -x*.dyf -\r\nx*.rcs -x*.diff C:\\[redacted].rar \\\\[redacted]\\C$\\Users\\  \r\nAfter archiving files, a FileZilla client was deployed to exfiltrate files to the C2 server. After the process was done,\r\nboth WinRar and FileZilla were removed from targets.\r\nExecution\r\nAt the start of execution, SafePay decrypts strings. It uses a loop, where it performs XOR operation three times on\r\neach byte. Each operation uses a different key. The first uses the current index value. The second uses the first\r\nsymbol from ‘kernel32.dll,’ which is always ‘M’. The last key is a constant value, which is different for each\r\nencrypted string. This decryption routine is not implemented as a separate function but is used to decrypt every\r\nstring that the sample contains. The sample contains strings only in encrypted format.\r\nThe sample also doesn’t contain the import functions table. It decrypts library names and loads them using\r\n‘LoadLibrary’ import, as well as their export function addresses are resolved and saved using ‘GetProcAddress’.\r\nHere is the list of library names that SafePay stores in an encrypted format:\r\n  advapi32.dll, rstrtmgr.dll, ole32.dll, shell32.dll, ntdll.dll, mpr.dll, user32.dll  \r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 2 of 7\n\nAfter obtaining additional imports, the SafePay sample gets the current date / time and Windows UI language.\r\nNext, it checks if the system language ID number is bigger or smaller than the saved ones. The sample will then\r\njump to a particular section with other numbers comparison.\r\nUsing the ‘switch-case’ statement, SafePay can continue execution or jump to the exit function when the obtained\r\nvalue matches one of the next numbers:\r\n                 Code    \r\n                 Description    \r\n                 BCP 47 code    \r\n1049\r\nRussian\r\nru-RU\r\n1058\r\nUkrainian\r\nuk-UA\r\n1059\r\nBelarusian\r\nbe-BY\r\n1064\r\nTajik\r\ntg-Cyrl-TJ\r\n1067\r\nArmenian – Armenia\r\nhy-AM\r\n1068\r\nAzerbaijani (Latin)\r\naz-Latn-AZ\r\n1079\r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 3 of 7\n\nGeorgian\r\nka-GE\r\nNext, the SafePay sample gets command line arguments and decodes additional strings. Those strings are\r\nsupported arguments:\r\n                 Argument    \r\n                 Description    \r\n-uac\r\nUAC Bypass flag\r\n-network\r\nNetwork propagation\r\n-selfdelete\r\nSelf-deletion after execution\r\n-log\r\nEnable logging\r\n-netdrive\r\nEncrypt network drives\r\n-pass=\r\nProvide password\r\n-path=\r\nProvide a path to encrypt\r\n-enc=\r\nProvide encryption level\r\nTo parse arguments, the SafePay sample grabs the command line that was used to execute the sample and stores it\r\nas an arguments array, which in the loop will be compared with the saved list. When one element of an array is\r\ncompared with a saved list, the sample adds ‘1’ to the array index value. When any argument is matched, it sets\r\nthe appropriate value to ‘1’.\r\nWhile some arguments are just set flags, others must contain additional information. For example, a password\r\nargument must consist of 38 symbols, including the ‘-pass=’ substring. In any other case, it will exit the program.\r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 4 of 7\n\nThe password must be 32 bytes in length and used to decode additional information in the code. If the password is\r\nunknown, the whole execution process cannot be performed.\r\nThe encryption level argument must be six symbols, including an ‘-enc=’ substring. It accepts numbers from ‘1’ to\r\n‘9’ for this argument. This value will be multiplied by 10 and will serve as file encryption percentage. For\r\nexample, providing value ‘5' will force the sample to encrypt 50% of the file.\r\nAfter arguments are parsed, the SafePay sample creates a new access control list (ACL) and adds an access-denied\r\naccess control entry (ACE). This list is used in the ‘SetSecurityInfo’ function.\r\nNext, the sample tries to obtain ‘SeDebugPrivilege’.\r\nAfter obtaining this privilege, the sample creates a snapshot of all running processes in the system. It then\r\ncompares their names with its own saved list, which is also stored in encoded format. When the appropriate\r\nprocess is found, it will be terminated.\r\nHere is a list of processes that must be terminated:\r\nsql, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc,\r\nfirefox, tbirdconfig, mydesktopqos, ocomm, dbeng50, sqbcoreservice, excel, infopath, msaccess, mspub, far,\r\nonenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, notepad, wuauclt, onedrive,\r\nsqlmangr\r\nBesides processes, the sample also terminates some services. First, it opens the service manager and then again\r\nstarts searching for service names that match its own list. The sample will then terminate services using the\r\n‘ControlService’ function and value ‘1’ in the ‘dwControl’ argument.\r\nThe list of services that will be terminated:\r\nvss, sqlsvc, memtas, mepocs, msexchange, Sophos, Veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr  \r\nAfter emptying the Recycle Bin using the ‘SHEmptyRecycleBinW’ function, the sample loads the\r\n‘Software\\Microsoft\\Windows\\CurrentVersion\\Run’ registry path and creates a new key with a command that was\r\nused to execute the sample, including all arguments. This will cause SafePay to be executed each time Windows\r\nstarts up.\r\nIf the ‘-uac’ flag is passed, the sample abuses the CMSTPLUA COM interface to execute commands with elevated\r\npermissions using ‘ShellExecuteW’ API function:\r\n  /c vssadmin delete shadows /all /quiet  \r\n  /c wmic shadowcopy delete  \r\n  /c bcdedit / set{default} bootstatuspolicy ignoreallfailures  \r\n  /c bcdedit / set{default} recoveryenabled no  \r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 5 of 7\n\nIf ‘-log’ argument is provided, the sample will create a log file: ‘C:\\ProgramData\\auto.log’. It contains PID\r\n(Process ID), time and description of performed operation.\r\nFile encryption\r\nBefore starting the encryption routine, the SafePay sample opens the handle to the system default cryptographic\r\nservice provider with RSA_AES type.\r\nEach encryption thread will be created in suspended mode. After thread creation, the sample sets the\r\n‘ThreadHideFromDebugger’ flag to thread to avoid their debugging and sets previously duplicated token\r\ninformation.\r\nTo find drives on the system, the sample uses ‘GetVolumePathNamesForVolumeNameW’ and ‘GetLogicalDrives’\r\nimports. Each drive is checked for its type. The SafePay sample will encrypt the drive only if it has type 2\r\n(DRIVE_REMOVABLE) or 3 (DRIVE_FIXED). Additional disk information will be obtained using\r\n‘DeviceIoControl’ with control code ‘IOCTL_DISK_GET_PARTITION_INFO’. If it finds an unmounted drive,\r\nthe sample mounts it using the ‘SetVolumeMountPoint’ function.\r\nTo search files on the system, the sample loads found drive names and uses ‘FindFirstFile’ and ‘FindNextFile’\r\nfunctions. For each file, it checks ‘dwFileAttributes’ parameter. If the parameter matches 16, which is a directory,\r\nthe sample will call the same function with the found folder path.\r\n When the sample opens a file using ‘CreateFileW’, it sets ‘dwFlagsAndAttributes’ value to ‘0x04000000’, which\r\nis the ‘FILE_FLAG_DELETE_ON_CLOSE’ flag. The sample will then delete the opened file right after the\r\nsample closes its handle.\r\nThe sample generates 32 random bytes for each file, which is used to be an AES key. Then the AES key will be\r\nencrypted using the RSA algorithm.\r\nAfter encrypting each file in the directory, the sample uses ‘CreateIOCompletionPort’ and\r\n‘PostQueuedCompletionStatus’ APIs to handle multithread encryption safely. Finally, the sample renames the file,\r\nappending the '.safepay' extension to it.\r\nConclusion\r\nSafePay ransomware uses double extortion to ensure that victims pay their ransoms. Exfiltrating files first,\r\nattackers deploy malware to encrypt users' files using a strong combination of AES and RSA ciphers. The SafePay\r\nsample is a DLL file, which requires ‘regsvr32.exe’ or ‘rundll32.dll’ utilities for execution. The sample accepts\r\nmultiple arguments but always requires ‘-pass=’ one, as this password is used to decode additional information in\r\ncode. All saved strings and import names are stored in an encrypted format, making SafePay hard to detect before\r\nit is executed.\r\nDetected by Acronis\r\nIoCs\r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 6 of 7\n\nFiles\r\n                 SHA256    \r\na0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526\r\nNetwork indicators\r\n                 URL    \r\nhttp://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion\r\nVanessaCooke94@protonmail.com\r\nSource: https://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nhttps://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/\r\nPage 7 of 7\n\n‘LoadLibrary’ import, Here is the list of as well as their library names that export function SafePay stores addresses are in an encrypted resolved and saved format: using ‘GetProcAddress’.\nadvapi32.dll, rstrtmgr.dll, ole32.dll, shell32.dll, ntdll.dll, mpr.dll, user32.dll\n Page 2 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.acronis.com/en-sg/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/" ], "report_names": [ "safepay-ransomware-the-fast-rising-threat-targeting-msps" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30e589fca69eed4305c7bff1a8259101cc2f0c73.pdf", "text": "https://archive.orkl.eu/30e589fca69eed4305c7bff1a8259101cc2f0c73.txt", "img": "https://archive.orkl.eu/30e589fca69eed4305c7bff1a8259101cc2f0c73.jpg" } }