GBHackers News reports that more than 200 organizations around the world have already been compromised by the SafePay ransomware group, which has become among the most prolific threat operations during the first quarter of 2025.
Attacks by SafePay have been characterized by technical sophistication, with the group exploiting RDP and VPN connections to breach networks and using exfiltrated credentials to circumvent endpoint protection systems before ensuring further stealth via shadow copy and log deletion, according to an analysis from the Acronis Threat Research Unit. SafePay later utilizes the open-source ShareFinder.ps1 script for network share discovery and data exfiltration. Aside from encrypting stolen data via XOR-based string decryption, dynamic library loading, and argument parsing, SafePay also alters Windows registry for persistence while removing backups and recovery options through commands, said researchers. Such a threat posed by SafePay should prompt the implementation of more robust RDP and VPN security defenses among organizations, researchers added.
Attacks by SafePay have been characterized by technical sophistication, with the group exploiting RDP and VPN connections to breach networks and using exfiltrated credentials to circumvent endpoint protection systems before ensuring further stealth via shadow copy and log deletion, according to an analysis from the Acronis Threat Research Unit. SafePay later utilizes the open-source ShareFinder.ps1 script for network share discovery and data exfiltration. Aside from encrypting stolen data via XOR-based string decryption, dynamic library loading, and argument parsing, SafePay also alters Windows registry for persistence while removing backups and recovery options through commands, said researchers. Such a threat posed by SafePay should prompt the implementation of more robust RDP and VPN security defenses among organizations, researchers added.
