What is the SafePay ransomware and how does it use double extortion to target businesses?
SafePay is a recent ransomware threat that emerged in late 2024 and continues to spread rapidly across industries in 2025. It uses a double extortion strategy—stealing sensitive data before encrypting files—to pressure victims into paying a ransom. SafePay targets sectors like retail, manufacturing, education, and services using old yet effective tactics, such as exploiting unsecured RDP access, disabling antivirus software, and deleting backups. Victims find their files renamed with the .safepay extension and are threatened with data leaks unless they pay via Tor-based portals. This ransomware strain shows how traditional cyberattack methods, when combined with modern extortion techniques, can have a devastating impact if defenses aren't updated.
In late 2024, a new ransomware strain called SafePay began targeting businesses across multiple industries. It has already hit companies in sectors like education, manufacturing, retail, and services. SafePay uses a well-known and dangerous tactic known as double extortion—stealing data before encrypting it, then demanding payment to both unlock files and prevent public exposure of the stolen information.
What makes SafePay especially dangerous is its simplicity. The attackers don’t rely on complex strategies. They use direct attacks, steal sensitive data, encrypt critical files, and pressure victims to pay by threatening public leaks. Any organization—regardless of its size—is at risk if it has data that can be sold or ransomed.
How Does SafePay Ransomware Infect Systems?
SafePay infections typically begin when attackers exploit weak points in a company’s network. These may include unpatched software vulnerabilities or exposed Remote Desktop Protocol (RDP) services. Once inside the network, the attackers use tools like PowerShell, WinRAR, FileZilla, Mimikatz, and PsExec to gain access, steal data, and spread the malware.
After disabling antivirus protections and deleting shadow copies (to prevent easy file recovery), the attackers exfiltrate sensitive information. Then they deploy the ransomware, which encrypts files and adds the “.safepay” extension. Victims are left with a ransom note—often named README_RECOVER_FILES.txt or DECRYPT_INSTRUCTIONS.txt—containing payment instructions and a threat to leak the stolen data if the ransom isn’t paid.
The Double Extortion Technique Explained
Double extortion is a method where cybercriminals don’t just lock your files—they steal them first. If you refuse to pay for decryption, they threaten to publish your private or business-critical data online. This tactic increases pressure on the victim and raises the likelihood of payment.
SafePay attackers prefer direct and fast execution, using batch scripts to disable system protections and automate file encryption. They don’t hide their presence—they aim to cause maximum damage quickly.
Key Signs Your System May Be Compromised by SafePay
There are a few warning signs that may indicate a SafePay infection:
-
Your files suddenly have the
.safepayextension.
-
Ransom notes appear with names like
README_RECOVER_FILES.txt. -
Sensitive tools like WinRAR, FileZilla, or PsExec show up unexpectedly on systems.
-
Network monitoring reveals traffic to suspicious command and control (C2) IP addresses, such as
185.225.73[.]50. -
Tor browser links appear in ransom notes directing users to payment portals.
These indicators are strong signs that data has been stolen and systems have been encrypted.
How to Protect Your Organization Against SafePay
Strengthen Your Remote Access Points
If your organization uses Remote Desktop Protocol (RDP), ensure that it is properly secured. Use Multi-Factor Authentication (MFA) and restrict access only to trusted IP addresses. Any exposed or poorly protected RDP instance is an open invitation to ransomware operators.
Monitor High-Risk Tools
Tools like WinRAR, FileZilla, and Mimikatz are legitimate, but they’re also commonly used in cyberattacks. If these appear suddenly on your systems, especially on servers or workstations that don’t normally use them, that’s a major red flag.
Safeguard Backups
Make sure you maintain offline or immutable backups that cannot be easily deleted or overwritten. Configure your systems to alert you when commands like vssadmin delete shadows are executed, as this could indicate a ransomware attack is underway.
Harden Your Endpoint Security
Ensure that Windows Defender or your organization’s antivirus solution cannot be disabled by attackers. Monitor changes in Group Policy settings, and implement EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response) platforms to identify threats early in the attack lifecycle.
What to Know About SafePay Ransomware
| Feature | Details |
|---|---|
| First Known Appearance | October 2024 |
| Attack Method | Double Extortion (data theft + file encryption) |
| File Extension Used | .safepay |
| Common Tools Used | PowerShell, Mimikatz, PsExec, WinRAR, FileZilla |
| Ransom Note File Names | README_RECOVER_FILES.txt, DECRYPT_INSTRUCTIONS.txt |
| Targeted Sectors | Services, Retail, Manufacturing, Education |
| Command & Control Server IP | 185.225.73[.]50 |
| Preventive Measures | MFA for RDP, monitor tools, secure backups, deploy EDR/XDR |
Conclusion
SafePay ransomware may not use new techniques, but it proves that old tactics are still effective—especially when companies leave doors open through weak configurations or poor visibility. If your defenses are outdated or your backups are online and vulnerable, you’re a target.
The key to stopping attacks like SafePay is a proactive approach: close exposed services, monitor your systems closely, and maintain resilient offline backups. When combined with employee awareness and strong security controls, this approach can prevent ransomware from holding your business hostage.
FAQs
What is SafePay ransomware?
SafePay is a type of ransomware that steals data and encrypts files, demanding a ransom payment with a threat to leak the data if victims don’t pay.
When was SafePay ransomware first discovered?
SafePay was first seen in October 2024 and has continued to evolve through 2025.
How does SafePay infect systems?
It commonly spreads through exposed RDP access, software vulnerabilities, and phishing techniques.
What is double extortion in ransomware?
Double extortion involves both encrypting the victim’s files and threatening to publish stolen data if a ransom isn’t paid.
What file extension does SafePay use?
It appends the .safepay extension to encrypted files.
Which industries are being targeted by SafePay?
Industries like retail, services, education, and manufacturing have been major targets.
What ransom note filenames are used by SafePay?
The most common filenames are README_RECOVER_FILES.txt and DECRYPT_INSTRUCTIONS.txt.
How is stolen data exfiltrated in SafePay attacks?
Attackers use tools like WinRAR to compress data and FileZilla to transfer it out of the network.
Which tools are used by SafePay operators?
They commonly use PowerShell, Mimikatz, PsExec, WinRAR, and FileZilla.
What is the command & control IP associated with SafePay?
One identified IP is 185.225.73[.]50.
Can SafePay disable antivirus software?
Yes, it can disable antivirus protections to avoid detection during encryption.
What does SafePay do to backups?
It deletes shadow copies to prevent easy file recovery.
How can I tell if I’ve been infected by SafePay?
Look for .safepay files, ransom notes, and unexpected tools like WinRAR or PsExec on your system.
What is the ransom payment method?
SafePay uses Tor-based portals and typically demands cryptocurrency.
Can small businesses be affected by SafePay?
Yes, SafePay targets any organization with valuable data, regardless of size.
What is the role of PsExec in SafePay attacks?
PsExec is used to move laterally across the network and run commands remotely.
Is SafePay a Ransomware-as-a-Service (RaaS)?
Yes, it operates under the RaaS model, enabling other attackers to use it for profit.
How do attackers disable backups with batch scripts?
They use scripts to disable services, delete shadow copies, and weaken system defenses.
Why is securing RDP important?
Unprotected RDP access is one of the most common entry points for ransomware attacks like SafePay.
What’s the best way to protect against SafePay?
Use MFA, restrict RDP access, monitor for high-risk tools, and maintain offline backups.
What are some signs of SafePay infection?
Unusual file extensions, ransom notes, and unknown admin tools appearing on your network.
How can organizations monitor for SafePay indicators?
Deploy EDR/XDR solutions and set alerts for suspicious tools or large file transfers.
Can antivirus detect SafePay ransomware?
Traditional antivirus may miss it if the malware disables the software or evades detection with custom scripts.
Are there public decryption tools for SafePay?
As of now, no free decryption tools are available for SafePay’s encryption method.
How can I recover from a SafePay ransomware attack?
Restore from offline backups and consult professional incident response teams.
Does SafePay affect cloud environments?
Yes, if cloud backups or RDP access points are not properly secured, they can also be targeted.
Can SafePay spread across a network?
Yes, using tools like PsExec, it can move laterally and encrypt other machines.
Is SafePay still active in 2025?
Yes, reports show that it continues to be active and dangerous throughout 2025.
Does SafePay impersonate system processes?
It can use legitimate tools and processes to avoid raising suspicion during its attack.
What should organizations do after a SafePay attack?
Immediately isolate infected machines, notify your cybersecurity team, preserve evidence, and avoid paying unless necessary.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
