SafePay Ransomware Unleashed: New LockBit 3.0 Variant Hits 200+ MSPs & SMBs Worldwide

A new ransomware group known as SafePay has swiftly risen from obscurity to infamy in Q1 2025, carving a name for itself as one of the most dangerous ransomware actors on the global stage. According to the Acronis Threat Research Unit (TRU), SafePay has already claimed over 200 victims worldwide, disproportionately targeting managed service providers (MSPs) and small-to-midsize businesses (SMBs).

“SafePay… has quietly and aggressively built momentum,” Acronis reports, warning that its impact spans industries and geographies.

Unlike most ransomware groups that thrive on the ransomware-as-a-service (RaaS) model, SafePay operates differently. It’s centralized, with the group directly managing infrastructure, deployment, and ransom negotiations. This gives it tighter operational security and less exposure compared to affiliate-based ecosystems like LockBit or BlackCat.

“SafePay appears to operate with centralized control, managing its own operations, infrastructure and negotiations,” TRU states.

Though SafePay is new, it carries unmistakable traces of LockBit 3.0 (a.k.a. LockBit Black). This is unsurprising, as the LockBit builder source code was leaked in 2022. The SafePay sample analyzed is a PE32 DLL that mimics LockBit’s structure but with new twists to improve evasion and stealth.

“While the sample is not a complete copy of LockBit 3.0… it is common for threat actors to change the source code to make malware more unique,” Acronis explains.

Similarities include:

• Encoded strings and resolved WinAPI addresses at runtime.
• Language checks to avoid infecting systems in Russia, Ukraine, Belarus, and others.
• Privilege escalation using CMSTPLUA COM interface.
• Use of the ThreadHideFromDebugger flag.
• Password protection and command-line argument parsing for encryption control.

SafePay’s intrusion vector of choice is compromised RDP connections. Once inside, attackers disable Windows Defender, execute reconnaissance scripts like ShareFinder.ps1, and exfiltrate data using WinRAR and FileZilla.

“SafePay ransomware was delivered… using RDP connections… to disable Windows Defender and upload files to the C2 server before encrypting them.”

Afterwards, WinRAR archives files—excluding media and backup formats—to a hidden directory, followed by silent data exfiltration via FileZilla. Once done, these tools are removed to erase forensic traces.

The malware uses a custom triple-XOR loop to decrypt strings on-the-fly. It avoids creating a static import table, instead dynamically resolving API calls. It also hides behind obscure libraries like advapi32.dll, mpr.dll, and shell32.dll.

For file encryption, SafePay:

• Encrypts removable and fixed drives.
• Deletes files with FILE_FLAG_DELETE_ON_CLOSE.
• Uses a unique AES key per file, then encrypts it with RSA.
• Appends the “.safepay” extension to each file.

SafePay supports several CLI arguments like:

• -uac — bypass User Account Control.
• -network — propagate through network.
• -enc= — control percentage of encryption.
• -log — enable logging to C:\ProgramData\auto.log.

The malware ensures persistence by creating a new registry key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute on every startup. It also seeks SeDebugPrivilege, kills security processes like Veeam, Sophos, and SQL services, and empties the Recycle Bin post-encryption.

Among its growing list of targets, SafePay was linked to the ransomware attack against Ingram Micro, a major global distributor. The breach disrupted services across thousands of MSPs, underscoring the scale and ambition of the group.

SafePay represents a highly structured, technically evolved ransomware operation. Its links to LockBit, rejection of affiliate models, and effective use of stealth and exfiltration tools mark it as one of the most dangerous threats of 2025.

Related Posts:

• Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
• SafePay Ransomware: A New Threat with Sophisticated Techniques
• Critical Flaws in Acronis Cyber Protect Expose Sensitive Data: CVSS 10 Vulnerabilities Patched
• MuddyWater APT Exploits MSP Tools to Target Global Victims