The rise of SafePay in the ransomware arena has been rapid and alarming. Emerging in the fall of 2024, the group dominated headlines last month as it obtained the highest number of claimed victims according to a recent blog post by Cyble.
In May alone, SafePay was reported to have claimed 58 victims, pushing it ahead of April’s frontrunner, Qilin, which recorded 54. This marks a significant shift in the ransomware landscape, especially as the total number of victims reported by various groups fell to 384—indicating an ongoing trend over the past three months, with new players continuing to appear as traditional leaders like RansomHub went offline in late March, purportedly after an attack by rival group DragonForce.
Current Landscape of Ransomware Threats
SafePay’s ascent to the top draws attention to the evolving dynamics in cyber threats. The United States remains the most targeted nation, suffering the highest share of ransomware attacks at 181 victims. Other groups in the top five included Play, Akira, and NightSpire, highlighting a competitive field where threats are not only prevalent but also diverse.
The sectors most affected by ransomware attacks in May were Professional Services and Construction, with these two sectors experiencing a combined total of 101 attacks. Following closely were Manufacturing, Government, Healthcare, Finance, IT, Transportation, Consumer Goods, and Education.
In total, SafePay has claimed 198 victims as of now, marking a notable increase from its previous monthly high of 43 victims back in March. May proved to be pivotal for SafePay as it marked its first month leading the ransomware scene.
SafePay’s strategies involve gaining access to victim networks through avenues such as VPN and RDP connections, often utilizing stolen credentials or employing password spraying methods. Their approach integrates double-extortion tactics, encrypting data while simultaneously threatening to disclose it publicly. Unlike many ransomware groups that offer Ransomware-as-a-Service (RaaS), SafePay operates independently.
The targeting landscape for SafePay includes significant focus on the U.S. and Germany, with major sectors including Professional Services, Construction, Healthcare, Education, and Manufacturing being heavily assaulted.
The Emergence of DevMan and Other Threats
In addition to SafePay, another notable player is DevMan, which operates primarily as an affiliate for several RaaS groups but has recently introduced its own variant. This self-deployed ransomware claims to excel in speed and efficiency and is implemented through mechanisms like Group Policy Object (GPO). In May, DevMan claimed 13 victims, positioning itself just outside the top tier of ransomware groups and suggesting it is one to watch closely.
As an affiliate, DevMan has collaborated with various RaaS groups, including Qilin, Apos, DragonForce, and RansomHub, indicating a flexible operational structure that could pose further risks in the cybersecurity landscape.
Another significant development in May included the leak of the VanHelsing Ransomware-as-a-Service source code, raising alarms regarding potential copycat operations similar to the aftermath experienced previously with LockBit and Babuk. The accessibility of such source code may lead to emerging ransomware variants, adding another layer of complexity to the current threat landscape.
Cyble has also identified new ransomware groups, contributing to the pattern of rising attacks totaling 17 in May alone—a significant number that could reverberate through critical sectors, including software supply chains and essential infrastructure.
Essential Practices for Ransomware Defense
The continuous emergence of new ransomware threats underscores the persistent risk in cybersecurity, emphasizing the need for robust defensive strategies. Recommended best practices include implementing a risk-based vulnerability management program, ensuring the protection of exposed assets, segmenting networks, and creating ransomware-resistant backups. Additionally, applying Zero Trust principles, monitoring endpoints, and hardening infrastructure are essential components for safeguarding against evolving cyber threats.
