SafePay Ransomware Hits 200 Firms Using RDP, VPN Hack

SafePay ransomware has rapidly emerged as a major cyber threat, targeting managed service providers and small-to-midsize enterprises across industries. SafePay ransomware hits 200 victims globally in Q1 2025 alone, marking a sharp rise in its activity since its 2024 debut. The group infiltrates networks using compromised Remote Desktop Protocol and Virtual Private Network credentials.

Unlike ransomware-as-a-service models, SafePay maintains centralized control, allowing precise execution and direct negotiation with victims. SafePay ransomware hits 200 targets by deploying classic yet effective tactics, including disabling endpoint protection, deleting shadow copies, and wiping system logs. It uses PowerView’s ShareFinder.ps1 for reconnaissance and WinRAR to archive sensitive files, excluding non-critical data.

Attackers transfer stolen data via FileZilla and delete traces post-exfiltration. The malware uses AES and RSA encryption, appending a .safepay extension to locked files. Execution requires a 32-byte password. Its stealth, structure, and double extortion model highlight its growing threat.

Read the full article: https://cybersecuritynews.com/safepay-ransomware-leverages-rdp-and-vpn/