When the Devil Comes Without an Invitation

They say the snake that whispers loudest often wears borrowed fangs. Andin Q2 2025, a new serpent slithered into the ransomware jungle, fangs sharpened, name freshly etched in fear.

Its name? SafePay. But don’t let the name fool you, there’s nothing “safe” about it unless you're the attacker cashing in.

From shadows to headlines, SafePay has carved out notoriety with surgical precision with over 200 victims and counting, spanning continents, industries, and unsuspecting corners of the digital world.

Where most ransomware gangs rely on rented muscle through RaaS (ransomware-as-a-service), SafePay is building its empire in-house.

What Makes SafePay Different?

This isn’t your average copycat campaign. While SafePay may have borrowed LockBit’s skeleton (thank you, 2022 source code leak), The malware’s architecture is built around:

• Runtime-resolved API calls
• Language checks
• CMSTPLUA  privilege escalation, Thread Hide From Debugger, and classic anti-analysis.
• AES     per file + RSA key wrapping, finished with a. SafePay signature on every encrypted file.
• Custom     XOR loop decryption for string concealment.

SafePay skips media and backup files when compressing with WinRAR, quietly exfiltrates data with FileZilla, then nukes the evidence and your defenses, disabling Windows Defender, clearing logs, and emptying the Recycle Bin.

The Front Door No One Locked

SafePay’s favorite trick is painfully simple: walk through the front door. Or in this case, compromise Remote Desktop Protocol (RDP) credentials.

Once inside, it starts its attack process:

·      Disable Defender

·      Run ShareFinder.ps1 forinternal recon

·      Exfiltrate sensitive data via FileZilla

·      Encrypt and vanish

Ingram Micro

If you're wondering how bad SafePay can get, look no further than Ingram Micro, the global IT distribution giant. One attack crippled services to thousands of MSPs, a reminder that ransomware doesn't just lock files; it breaks supply chains.

So, before your data gets the. SafePay treatment, invest in what matters: resilience, visibility, and response speed.

How to Defang the Snake

Harden RDP or Nuke It Entirely

• Disable RDP where not absolutely needed.
• Enforce multi-factor authentication and network-level authentication.
• Use geo-fencing and restrict RDP access via VPN or jump servers.

Behavioral Detection > Signature Reliance

• Set up alerts for:
   
  • Creation of registry entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   
  • Launch of WinRAR, FileZilla, or PowerShell scripts like ShareFinder.ps1
   
  • Processes disabling Defender or terminating security services
 
• Monitor for non-standard usage of COM objects like CMSTPLUA.

Hunt for XOR and WinAPI Obfuscation

• Apply YARA rules targeting XOR loop patterns and dynamic WinAPI resolution.
• Use memory analysis and sandboxing to detect unusual DLL behaviors involving advapi32.dll, mpr.dll, etc.

Data Exfiltration Monitoring

• Alert on outbound connections from non-standard ports.
• Look for burst uploads or repeated WinRAR archive creation     outside normal business operations.

Simulate, Educate, Drill

• Include SafePay tactics in your red-teaming simulations.
• Educate staff on ransomware indicators and encourage early reporting.
• Run tabletop exercises with "stealth ransomware + data leak" scenarios.

Remember the best time to prepare wasyesterday. The second-best time is now!!!