SafePay Becomes Leading Force in Global Ransomware Attacks

Rapid Rise and Aggressive Tactics Alarm Cybersecurity Experts

Cybersecurity researchers have flagged SafePay as the most active ransomware group today, despite being only seven months old. According to a recent Check Point report, SafePay has quickly built a dominant presence in the ransomware landscape.

The group uses a double-extortion approach—encrypting files while also stealing sensitive data. Victims who refuse to pay face threats of public exposure on SafePay’s “shame site,” where stolen data is posted. Researchers also highlight aggressive negotiation tactics, including direct phone calls to pressure organizations into compliance.

Russian Links and Unusual Target Preferences

Check Point notes that SafePay’s malware contains a Cyrillic-language exclusion, a potential sign of ties to Russian-affiliated threat actors. The group has listed over 200 victims, with nearly 20% based in Germany—a sharp contrast to typical ransomware attack patterns that are more geographically dispersed.

Industries most affected include education, government, healthcare, and telecom. One recent breach involved Marlboro-Chesterfield Pathology, where 236,000 patient records were compromised in a January attack.

Competing Threats: Qilin and Play Ransomware

SafePay is not alone in this space. Groups like Qilin, active since 2022, continue to strike large healthcare and education institutions. Qilin admitted to a February 2025 attack on a Japanese cancer center that exposed 300,000 patient records.

Play Ransomware, also known as PlayCrypt, has targeted nearly 300 global entities. It often infiltrates networks using stolen credentials or exploits in outdated systems like Fortinet SSL VPNs. Once inside, it uses advanced techniques to steal data and evade detection.

With SafePay’s surge in activity and aggressive methods, cybersecurity experts urge organizations to review their ransomware defense protocols and monitor exposure risks in real time.