Safepay Strikes at 9 New Targets

Yesterday, the ransomware group Safepay attacked 9 new victims. Although public disclosure offering details surrounding the attacks appears slim, it is difficult to ascertain how the cybercriminal group gained access, which methods were used, and what data was exfiltrated.

The ransomware group stole a total of 810 GB of data, and a countdown timer shows the companies have two days to comply with ransom demands before the group publicly leaks the trove.

The list of impacted companies is as follows:

• Blue Ridge Senior Living, a Richmond, Virginia-based company, specializes in independent living, assisted living, and memory care.
• Richmond House School, an independent prep school in North Leeds.
• Quantum Innovations, Inc., a US‑based company specializing in thin‑film and ophthalmic coating and vacuum equipment.
• NAXIS Co., Ltd., a Japanese-headquartered international manufacturer of apparel labels, tags, packaging, and RFID tags.
• L & W Wilson (Endmoor) Ltd, a Cumbria, UK-based civil engineering, haulage, demolition, and aggregate supplies firm.
• Salemma Retail S.A., a supermarket chain based in Paraguay, South America.
• Stichting Johannes Bosco, a nonprofit organization supporting vulnerable children and communities.
• BISA, short for Bio-Servicios Ambientales, is a Peruvian engineering firm founded in 1992 that specializes in environmental consulting and engineering, procurement, and construction management (EPCM) services.
• Horan & Barker, P.C., a Certified Public Accounting firm in Davenport, Iowa.

At first glance, these companies do not appear to share any association with one another, including DNS records, ASN numbers, hosting providers, and so on. Regardless, there may be a common attack vector.

According to a report by Hudson Rock, Safepay’s attack on BISA was made possible through the use of third-party employee credentials as the initial attack vector. Although no internal BISA employees were directly compromised, 51 user identities with access to BISA’s systems were found in infostealer logs, likely belonging to contractors, vendors, or third-party service providers.

Of these 51 compromised accounts, 45 credentials belonged to individuals outside the organization, and these were ultimately used to gain unauthorized access to BISA’s infrastructure.

While researchers can only surmise how all victims in this case were compromised, it's not difficult to theorize that they all shared a common factor, which may be revealed in how Safepay compromised BISA.

Safepay: A Brief Overview

Safepay arrived on the ransomware scene relatively recently, emerging late last year. Cybersecurity researchers first discovered the group around September-November 2024, when ransomware attacks attributed to the group appeared, bearing the group’s unique signature, such as ransomware notes with file extension “.safepay.” and “safepay.txt”.

Experts did draw a comparison between Safepay’s malware and the LockBit 3.0 ransomware, since the builder code was leaked in 2022, which overlaps suspicions that Safepay might be built on leaked LockBit code or perhaps run by cybercrime actors experienced with LockBit or similar ransomware families. In the end, there is still only speculation.

However, it is not formally known whether Safepay is a rebranded group or a new group due to the group’s low profile and obfuscated internet footprint.

Safepay landed on the threat radar rapidly by early 2025. This is because Safepay went from obscurity to one of the most prolific ransomware actors after hitting 200 international victims in the first quarter of 2025 alone.