A new ransomware threat in 2025, SafePay, has executed over 265 attacks across various continents. The group emerged in September 2024, initially targeting around 20 victims. Since early 2025, it has significantly intensified its operations and now poses a serious threat in global ransomware.
Source: SOCRadar
SafePay’s victims are mostly in developed economies, showing a targeted strategy. The United States has 103 confirmed victims, nearly 40% of all cases, followed by Germany with 47 recorded incidents.
Targets also include the United Kingdom, Australia, Canada, and several countries in Latin America and the Asia-Pacific. SOCRadar analysts found that SafePay intentionally avoids targeting organizations in Commonwealth of Independent States countries using a language detection feature.
Source: SOCRadar
The malware has checks that immediately stop it from running if the system uses Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Russian, or Ukrainian languages, indicating that the operators want to evade legal action in these areas.
SafePay operators routinely disable Microsoft Defender and other security measures using administrative commands and Group Policy changes, including adding folder exclusions and turning off real-time protection.
Source: SOCRadar
The malware uses encrypted strings, dynamic loading, and advanced packing techniques to avoid detection. Click here to read the full report.