SafePay Ransomware Recovery

SafePay is a financially driven ransomware operation first seen in mid-2023, known for targeting small to mid-sized organisations through opportunistic phishing campaigns and fake software updates.

A SafePay attack results in the encryption of critical data and a ransom demand instructing victims to make a “safe payment” - usually in Bitcoin - to restore access and prevent the exposure of stolen information.

Why you must not interfere with your ransomware environment

A break-in at your offices would compel you to call the police immediately and touch nothing until they arrive, understanding the need for a forensic investigation.

A cyber-attack requires the same action. Your first responsibility would be to call in the forensic experts and ensure the environment remains untouched.

This is not a job for your IT team or MSP. There are Digital Forensic specialists available 24/7 who can assist you.

YOU MUST NOT ATTEMPT TO TOUCH, RESTORE OR OVERWRITE THE DATA

Who is SafePay? What does it do?

SafePay is a fast-growing ransomware group first seen in late 2024. By early 2025, it became one of the top threats, targeting small businesses and local governments - especially those with weak security. It uses stolen VPN/RDP credentials and known exploits to breach networks, disable backups, and encrypt files using AES-RSA, appending a .safepay extension. Victims then receive a ransom note demanding payment and threatening data leaks.

Operating mainly in the U.S., Germany, and the UK, SafePay runs high-volume, low-complexity attacks, often over 10 per day. It focuses on sectors like healthcare, education, and construction. The group runs active leak sites and uses double extortion, making it a major threat to vulnerable organisations.

UK Data 2025

How Does SafePay Attack?

Double extortion is a ransomware tactic where attackers both encrypt and steal a victim’s data, then threaten to leak it if the ransom isn’t paid. This method pressures victims to pay even if they have backups, due to risks like reputational harm or legal consequences.

How old is SafePay and how many attacks have there been?

SafePay was first identified in mid-2023 and quickly gained traction among lower-level ransomware operators. Since then, it has been linked to 278 incidents globally.

While not as sophisticated as larger ransomware operations, SafePay’s low barriers to entry and rapid spread make it a persistent threat.

Most Recent SafePay Attacks

Title	Available	Last visit	fqdn
Safepay Blog	No	2025-12-07 04:33:49.268172	http://safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd.onion
Safepay Blog	Yes	2026-02-24 03:01:28.808794	http://safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd.onion
SAFEPAY	No	2025-10-13 07:30:25.827213	http://j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion

Solace Cyber’s track record includes hundreds of successful response recoveries, providing Digital Forensic Incident Response services, 24x7x365.

“The NCSC handled 430 significant cyber incidents in 2024, a 16% increase from the previous year.”

Read more...

Steps After a Security Breach

When a cyber incident occurs, take these immediate actions:

Contact your business insurance provider straight away

Review your business continuity plan to determine which operations can continue without your usual systems and data

Document the incident for regulatory compliance purposes

Solace Cyber acts as your specialist digital forensics partner in Australia, helping restore normal operations swiftly. Our response includes:

Securing and isolating your environment to preserve evidence for thorough forensic analysis

Tracking down where your data has been copied and executing legal removal requests

Mapping out recovery points for your data, applications and systems, then carefully reconstructing them in a secure, clean environment

Coordinating directly with your insurance provider and law enforcement as required

Providing guidance on customer communication regarding the incident

Reconstructing your infrastructure, recovering your data and returning you to complete operational status

Recovery timelines typically range from 2 weeks to 2 months, depending on the incident's scope.

Ransom Groups Stats by Industry

Critical infrastructure ransomware attacks 2021 bar chart

Who is Solace Cyber and what experience do they have in recovering from SafePay ransomware attacks?

Solace Cyber delivers global risk and security services across Australia, specialising in travel, crisis support, and offshore risk management. The organisation runs a fully staffed security operations centre around the clock and maintains an internal intelligence unit that produces routine daily and weekly updates. The business is certified to ISO 27001, ISO 14001, ISO 45001, and ISO 9001 standards.

Founded in the UK in 2021, Solace Cyber has grown its presence throughout Australia, concentrating on cyber incident handling, including digital forensics, incident response, ransomware events, information security, and wider risk management, supported by managed security services. The senior leadership team has more than two decades of combined experience across security and IT.

Why should I trust Solace Cyber to do this work rather than my IT team?

A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:

Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves.
Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.
IT teams may recover to the same position with indicators of compromise ready to do it again…. which can lead to another breach.
In 2022, there were not enough adequately qualified people in the job market to meet the CSIRT* resource requirements.
Cybercrime has stepped up again in 2024.

Solace Cyber was established precisely for this scenario. We have a well-defined process for handling cyber-attacks like SafePay, which involves a 6-step approach:

Triage
Analysis
Contain and Mitigate
Remediate and Eradicate
Recover
Post-Incident Examination

It includes a thorough digital forensic analysis from step 2 where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:

Informing an initial infection date
The extent and spread of infection
Data exfiltration having an impact on regulatory positions
Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated

It is critical that the analysis of digital evidence is carried out to an agreed plan. This will have been designed to provide the best and earliest chance of discovering a root cause, which is essential to inform remediation/eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.

Solace’s Digital Forensic and Incident Response teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.

Key Take Aways

System Access: You will be unable to access your systems or data.
Immediate Actions: Disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
Email and Communication Security: Your Office 365 system might be compromised, allowing attackers to monitor your responses. Avoid using your primary email or team communication systems.
Pre-Attack Infiltration: Threat actors typically infiltrate your system 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated by this time.
Ransom Costs: Ransom demands can range from £0.5m to £3m.
Legal Risks: Paying the ransom may violate financial sanctions, constituting a criminal offense that could result in imprisonment or additional financial penalties.
Data Exposure: Data sold or published on the web puts your customers and staff at risk and implicates you in a data protection breach.
Data Takedown: You will need to request a takedown of the data from its initial location.
Data Handling: Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was exfiltrated.
Back-Up Restoration: Avoid rebuilding from the latest backup, as it may also be infected.

How do I maintain security in future to prevent a further ransomware attack?

Solace Cybers' assistance extends beyond recovery. After restoring your business operations, we work collaboratively to ensure your cyber security posture is robust using a threat-informed methodology. This involves leveraging our comprehensive 9-step framework known as the Solace Global - Cyber 9 Step Process.

Frequently asked questions

Yes, SafePay is ransomware that encrypts victims’ data and demands a cryptocurrency payment to restore files and prevent data leaks.

A SafePay ransomware attack generally enters a system in one of the following ways:

Sending phishing emails with malicious links or attachments
Using fake software update pop-ups on compromised websites
Exploiting weak passwords on remote services

To reduce risk in the future:

Use advanced email filtering and antivirus solutions
Block access to suspicious websites and adverts
Keep operating systems and software up to date
Train staff on phishing awareness
Maintain secure, tested offline backups

The average cost of ransomware breaches hover around £500K, while smaller email data breaches typically incur expenses of around £50K. A critical decision emerges between preserving the environment for forensic analysis or opting for swift recovery to minimise business disruption. Delays in identifying and resolving breaches only exacerbate costs.

Cybersecurity insurance claims entail a multifaceted process, encompassing reasonable expenditures for investigation and remediation, alongside coverage for legal, business interruption, criminal liability, employment liability, and ransom policies. While the insurance industry plays a pivotal role in facilitating business recovery, cyber insurance is perceived as volatile within the sector, and many policies require meticulous validation.

Facing genuine pressure, there's a crucial decision to make - one that could rescue your organisation from weeks of operational standstill, reputation damage, and client data loss. Yet, the probability of a favourable outcome remains slim, emphasising the importance of engaging a specialised ransomware incident response team. They are your most viable recourse for navigating a ransomware incident.

The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home

Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing.

The latest iteration can be found here: https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets

Yes. There's a possibility that some of the lost data contains "Personal Data" belonging to your customers. Safeguarding such data is a legal requirement, so it's important to consider notifying the Information Commissioner's Office (ICO) about this incident, as well as your customers. https://ico.org.uk/

Your insurer or legal counsel will provide guidance on the necessary steps and how to proceed in this matter. However, Solace Cyber has experience collaborating with insurers and legal representatives and can offer assistance in managing these relationships during this challenging period.

Your business operations may experience significant disruptions. These could include:

Downtime: Your systems may be unavailable or operating at reduced capacity for a prolonged period, affecting productivity and revenue generation.
Reputational Damage: Public awareness of the breach can erode trust and confidence in your brand, leading to potential customer loss and difficulty acquiring new clients.
Financial Losses: Beyond immediate costs like remediation and recovery, there may be long-term financial repercussions due to decreased sales, legal fees, and regulatory fines.
Legal and Regulatory Challenges: Compliance obligations and legal proceedings stemming from the breach may consume time and resources, further impeding business operations.
Employee Morale and Productivity: Team morale can suffer due to uncertainty and increased workloads, impacting overall productivity and retention rates.

To mitigate these effects, it's crucial to have a comprehensive incident response plan in place, including communication strategies, collaboration with cybersecurity experts, and measures to enhance system resilience and data protection. Additionally, transparency with stakeholders and proactive steps to rebuild trust can help minimize the long-term consequences on your business.

Action Fraud is the UK’s national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Action Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.

https://www.actionfraud.police.uk/

SafePay Ransomware

Facing a Ransomware Attack or Security Breach?

Why you must not interfere with your ransomware environment

YOU MUST NOT ATTEMPT TO TOUCH, RESTORE OR OVERWRITE THE DATA