The SafePay ransomware group has been active since fall 2024 and has increased its activity this spring and summer. According to NCC Group, SafePay hit the most victims of any threat actor in May 2025—it is linked to 248 victims to date, according to Ransomware.live and RansomFeed.

The group uses common tactics, including social engineering with telephone calls and spam. One of SafePay’s particular techniques worth informing employees about is sending “a ton of spam, and at the same time, when they are panicking and raising concerns, a call comes from ‘the company’s IT department’ via Microsoft teams.” Posting as a third-party IT department, the threat actors request remote access, then “drop a PowerShell script and often live on the network for up to a week to investigate and another week to slowly move towards exploitation.”

SafePay employs a double extortion model—exfiltrating files that they threaten to leak, and then deploying the ransomware to affect operations and pressure victims to pay. They are targeting private companies in the financial, legal, insurance, health care, and critical services, as well as pivoting to the public sector.