SafePay

Last Updated Apr 28, 2026

Also known as: SafePay Ransomware, safepay

SafePay is a ransomware group particularly active in Germany, responsible for 24% of the 74 ransomware victims reported in the country during Q1 2025.

🌍 Country Unknown

📅 Activity 2024 — 2025

📝 Last Updated Apr 28, 2026

⚡ Risk Level High

Healthcare Logistics Manufacturing Government

2024

2025

Introduction

SafePay is a ransomware group particularly active in Germany, responsible for 24% of the 74 ransomware victims reported in the country during Q1 2025.

Activities and Tactics

Targeted Sectors: Healthcare, Logistics, Manufacturing, Government

Country of Origin: 🏳️ Unknown

Risk Level: High

First Seen: 2024

Last Activity: 2025

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Hacking Team UEFI Rootkit:
Dark DDoSeR:
Archelaus Beta:
Revenge-RAT:

Ransomware Tool Matrix observations

Category	Observed tools
Discovery	Invoke-ShareFinder
Exfiltration	7zip, FileZilla, WinRAR
LOLBAS	CMSTPLUA, Regsvr32.exe, dllhost.exe
RMM Tools	Microsoft RDP

Attribution and Evidence

Country of Origin: Unknown Additional attribution information pending cataloguing.

References

References pending cataloguing.

Source Attribution

Structured source: MISP Galaxy

Manually curated from open source intelligence

Additional source provenance

misp galaxy Dataset
BushidoUK Ransomware Tool Matrix Tool observations were reviewed from the BushidoUK Ransomware Tool Matrix (https://github.com/BushidoUK/Ransomware-Tool-Matrix). The matrix is used here as a secondary ransomware tradecraft reference, not as sole attribution evidence. Repository Dataset

Source and license policy

🔍 Quick Filters

Top Countries

Risk Distribution

High

161

Critical

Low

Medium