Skip to content
The Nexus
Group profile51 claimed in last 30d76 total tracked

safepay

Forward this

SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealing 1.2 TB of data.

First seen: May 18 · 15:54 UTCLast seen: Jul 6 · 19:42 UTC
Sectors hit
  • Unspecified9
  • Consumer Services6
  • Business Services5
  • Transportation/Logistics4
  • Manufacturing4
  • Construction4
  • Technology3
  • Healthcare3
Countries hit
  • Germany22
  • Italy5
  • United States3
  • Japan3
  • United Kingdom3
  • Spain3
  • Canada3
  • Australia1
MITRE ATT&CK · observed TTPs14 tactics

Tactics and techniques attributed to SAFEPAY by ransomware.live's curated TTP catalog. Identifiers link to the canonical MITRE ATT&CK reference for each tactic or sub-technique.

  • TA0001Initial Access
    • T1078Valid Accounts

      The threat actor accessed the endpoint via Remote Desktop Protocol (RDP) using valid credentials.

    • T1091Replication Through Removable Media
    • T1189Drive-by Compromise
    • T1190Exploit Public-Facing Application
    • T1566.001Phishing: Spearphishing Attachment
    • T1566.002Phishing: Spearphishing Link
    • T1566.003Phishing: Spearphishing Voice
  • TA0002Execution
    • T1047Windows Management Instrumentation
    • T1047Windows Management Instrumentation

      Employed WMI commands to execute processes on remote systems.

    • T1053.005Scheduled Task/Job: Scheduled Task
    • T1059Command and Scripting Interpreter

      Utilized PowerShell scripts, such as ShareFinder.ps1, to execute commands on the compromised system.

    • T1059.001Command and Scripting Interpreter: PowerShell
    • T1059.003Command and Scripting Interpreter: Windows Command Shell
    • T1059.005Command and Scripting Interpreter: Visual Basic
    • T1106Native API
    • T1129Shared Modules
    • T1203Exploitation for Client Execution
    • T1204.001User Execution: Malicious Link
    • T1204.002User Execution: Malicious File
  • TA0003Persistence
    • T1078Valid Accounts

      Maintained access through the use of compromised valid accounts.

    • T1098Account Manipulation
    • T1505.004Server Software Component: IIS Components
    • T1542.003Pre-OS Boot: Bootkit
    • T1543.003Create or Modify System Process: Windows Service
    • T1547Boot or Logon Autostart Execution
    • T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • T1547.009Boot or Logon Autostart Execution: Shortcut Modification
    • T1574.001Hijack Execution Flow: DLL Search Order Hijacking
  • TA0004Privilege Escalation
    • T1078Valid Accounts

      Escalated privileges by leveraging valid domain accounts.

    • T1134.002Access Token Manipulation: Create Process with Token
    • T1134.004Access Token Manipulation: Parent PID Spoofing
  • TA0005Defense Evasion
    • T1014Rootkit
    • T1027Obfuscated Files or Information
    • T1027.002Obfuscated Files or Information: Software Packing
    • T1027.005Obfuscated Files or Information: Indicator Removal from Tools
    • T1027.007Obfuscated Files or Information: Dynamic API Resolution
    • T1027.009Obfuscated Files or Information: Embedded Payloads
    • T1027.013Obfuscated Files or Information: Encrypted/Encoded File
    • T1027.016Obfuscated Files or Information: Junk Code Insertion
    • T1036Masquerading
    • T1036.003Masquerading: Rename Legitimate Utilities
    • T1036.004Masquerading: Masquerade Task or Service
    • T1036.005Masquerading: Match Legitimate Name or Location
    • T1036.007Masquerading: Double File Extension
    • T1036.008Masquerading: Masquerade File Type
    • T1055Process Injection
    • T1055.001Process Injection: DLL Injection
    • T1070Indicator Removal
    • T1070.003Indicator Removal: Clear Command History
    • T1070.004Indicator Removal: File Deletion
    • T1070.006Indicator Removal: Timestomp
    • T1112Modify Registry
    • T1140Deobfuscate/Decode Files or Information
    • T1218System Binary Proxy Execution
    • T1218.004System Binary Proxy Execution: InstallUtil
    • T1218.005System Binary Proxy Execution: Mshta
    • T1218.007System Binary Proxy Execution: Msiexec
    • T1218.010System Binary Proxy Execution: Regsvr32
    • T1218.011System Binary Proxy Execution: Rundll32
    • T1218.014System Binary Proxy Execution: MMC
    • T1220XSL Script Processing
    • T1221Template Injection
    • T1222File and Directory Permissions Modification
    • T1497Virtualization/Sandbox Evasion
    • T1497.001Virtualization/Sandbox Evasion: System Checks
    • T1497.003Virtualization/Sandbox Evasion: Time Based Checks
    • T1553.002Subvert Trust Controls: Code Signing
    • T1562.001Disable or Modify Tools

      Disabled Windows Defender using a sequence of LOLBin commands to evade detection.

    • T1562.001Impair Defenses: Disable or Modify Tools
    • T1562.004Impair Defenses: Disable or Modify System Firewall
    • T1564.001Hidden Artifacts: Hidden Files and Directories
    • T1574Hijack Execution Flow
    • T1574.013Hijack Execution Flow: KernelCallbackTable
    • T1620Reflective DLL Injection
    • T1622Debugger Evasion
  • TA0006Credential Access
    • T1003OS Credential Dumping

      Employed tools like lsassy.py to dump credentials from the operating system.

    • T1003.003OS Credential Dumping: NTDS
    • T1056Input Capture
    • T1056.001Input Capture: Keylogging
    • T1110.003Brute Force: Password Spraying
    • T1555Credentials from Password Stores
    • T1557.001Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning
  • TA0007Discovery
    • T1010Application Window Discovery
    • T1012Query Registry
    • T1016System Network Configuration Discovery
    • T1033System Owner/User Discovery
    • T1046Network Service Discovery
    • T1049System Network Connections Discovery
    • T1057Process Discovery
    • T1082System Information Discovery
    • T1083File and Directory Discovery
    • T1087.002Account Discovery: Domain Account
    • T1119Automated Collection
    • T1120Peripheral Device Discovery
    • T1124Time Discovery
    • T1482Domain Trust Discovery

      Conducted domain trust discovery using commands like 'net group domain admins /domain' and 'nltest.exe'.

    • T1614.001System Location Discovery: System Language Discovery
  • TA0008Lateral Movement
    • T1021Remote Services

      Moved laterally within the network using Remote Desktop Protocol (RDP) and Windows Management Instrumentation (WMI).

    • T1021.001Remote Services: Remote Desktop Protocol
    • T1021.002Remote Services: SMB/Windows Admin Shares
    • T1021.004Remote Services: SSH
    • T1091Replication Through Removable Media
    • T1534Internal Spearphishing
  • TA0009Collection
    • T1005Data from Local System
    • T1074Data Staged
    • T1074.001Data Staged: Local Data Staging
    • T1560Archive Collected Data

      Archived files using WinRAR with specific command-line options to prepare data for exfiltration.

    • T1560.002Archive Collected Data: Archive via Library
    • T1560.003Archive Collected Data: Archive via Custom Method
  • TA0010Exfiltration
    • T1041Exfiltration Over C2 Channel
    • T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
    • T1052.001Exfiltration Over Physical Medium: Exfiltration over USB
    • T1567.002Exfiltration Over Web Service

      Utilized MEGASync to exfiltrate data over a web service.

    • T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • TA0011Command and Control
  • TA0040Impact
    • T1485Data Destruction
    • T1486Data Encrypted for Impact

      Encrypted files and appended the '.safepay' extension, leaving a ransom note named 'readme_safepay.txt'.

    • T1489Service Stop
    • T1490Inhibit System Recovery

      Deleted volume shadow copies to inhibit system recovery.

    • T1491.001Defacement: Internal Defacement
    • T1529System Shutdown/Reboot
    • T1561.001Disk Wipe: Disk Content Wipe
    • T1561.002Disk Wipe: Disk Structure Wipe
  • TA0042Resource Development
  • TA0043Reconnaissance
    • T1589.002Gather Victim Identity Information: Email Addresses
    • T1591Gather Victim Org Information
    • T1591.004Gather Victim Org Information: Identify Roles
    • T1593.001Search Open Websites/Domains: Social Media
Recent claimed victims
Jul 6 · 21:52 UTC

stedwardscatholicfirstschool.co.uk

Jul 6 · 21:51 UTC

lh-wohnverbund-wohnen-nrw.de

Business ServicesUnited StatesJul 6 · 19:43 UTC

matrixwebagency.com

matrixwebagency.com
ConstructionGermanyJul 6 · 19:42 UTC

bmiprojects.de

bmiprojects.de
HealthcareGermanyJul 6 · 19:41 UTC

caritas-koblenz.de

caritas-koblenz.de
ConstructionGermanyJul 6 · 19:41 UTC

knobel-bau.de

knobel-bau.de
Business ServicesGermanyJul 6 · 19:40 UTC

rtngmbh.de

rtngmbh.de
EducationUnited KingdomJul 6 · 19:40 UTC

stedwardscatholicfirstschool.co.uk

stedwardscatholicfirstschool.co.uk
Consumer ServicesGermanyJul 6 · 19:39 UTC

lh-wohnverbund-wohnen-nrw.de

lh-wohnverbund-wohnen-nrw.de
GermanyJul 6 · 19:39 UTC

shw-fr.de

shw-fr.de
Transportation/LogisticsGermanyJul 6 · 18:55 UTC

hahn-airport.de

hahn-airport.de
Transportation/LogisticsGermanyJul 6 · 18:55 UTC

hahn-airport.de

hahn-airport.de
Public SectorGermanyJul 1 · 20:36 UTC

awo-suedost.de

awo-suedost.de
GermanyJul 1 · 20:35 UTC

dia179.com

dia179.com
HealthcareUnited StatesJul 1 · 20:34 UTC

eaglecrestlife.org

eaglecrestlife.org
ManufacturingGermanyJun 27 · 18:28 UTC

hellmold-plank.de

hellmold-plank.de
GermanyJun 22 · 21:34 UTC

ehg.bayern

ehg.bayern
ItalyJun 17 · 20:26 UTC

seinordovest.it

seinordovest.it
Consumer ServicesAustraliaJun 17 · 20:25 UTC

harcourts.net

harcourts.net
ManufacturingGermanyJun 17 · 20:25 UTC

zaunsysteme.de

zaunsysteme.de
Consumer ServicesItalyJun 17 · 20:24 UTC

brscappuccio.it

brscappuccio.it
Agriculture and Food ProductionGermanyJun 17 · 20:24 UTC

gut-heckenhof.de

gut-heckenhof.de
Jun 15 · 21:49 UTC

bautz-maschinenbau.de

Business ServicesGermanyJun 15 · 19:27 UTC

hughstirling.co.uk

hughstirling.co.uk
ConstructionJapanJun 15 · 19:27 UTC

tokyocivil.co.jp

tokyocivil.co.jp
ManufacturingGermanyJun 15 · 19:25 UTC

bautz-maschinenbau.de

bautz-maschinenbau.de
Consumer ServicesSpainJun 15 · 19:24 UTC

aquaclean.com

aquaclean.com
Public SectorUnited StatesJun 15 · 19:24 UTC

hoodriversheriff.com

hoodriversheriff.com
SpainJun 2 · 17:21 UTC

iql-nog.com

iql-nog.com
Hospitality and TourismItalyJun 1 · 19:53 UTC

tavolaspa.com

tavolaspa.com
SAFEPAY · Underground group profile · The Nexus