Back to Intelligence

SAFEPAY Ransomware: Aggressive German Sector Targeting & Critical Infrastructure Exploits

SA
Security Arsenal Team
July 6, 2026
8 min read

Date: 2026-07-06 Analyst: Principal Security Engineer, Security Arsenal Source: Direct observation of SAFEPAY .onion leak site


1. Threat Actor Profile — SAFEPAY

  • Aliases: None definitively confirmed; appears to be a rebranding or splinter group using legacy codebases reminiscent of LockBit 3.0/BlackCat infrastructure.
  • Operational Model: Ransomware-as-a-Service (RaaS) with indications of a closed, invite-only affiliate network due to the high caliber of exploited vulnerabilities.
  • Ransom Demands: Highly variable, typically ranging from €500,000 to €5,000,000, correlating with victim revenue and data sensitivity.
  • Known Initial Access Methods: Currently focused on exploiting critical external-facing infrastructure. Recent activity shows a pivot towards exploiting perimeter security appliances (Check Point, Cisco Firewalls) and remote management tools (ScreenConnect) rather than traditional phishing or RDP brute-forcing.
  • Extortion Strategy: Strict double-extortion model. Victims are listed on the leak site if negotiations fail; stolen data is teased with samples (ID cards, financial docs, schematics).
  • Average Dwell Time: Estimated 4–7 days. This gang moves rapidly from initial access via perimeter exploits to lateral movement and data exfiltration, minimizing the window for detection.

2. Current Campaign Analysis

Campaign Overview (July 1–6, 2026)

SAFEPAY has significantly increased its tempo, posting 12 new victims in the last 100 days, with a heavy concentration of activity in the first week of July.

Targeted Sectors

  • Construction: 25% (bmiprojects.de, knobel-bau.de)
  • Public Sector & Non-Profit: 25% (awo-suedost.de, lh-wohnverbund-wohnen-nrw.de)
  • Healthcare: 16.6% (caritas-koblenz.de, eaglecrestlife.org)
  • Transportation/Logistics: 8.3% (hahn-airport.de)
  • Business Services: 16.6% (matrixwebagency.com, rtngmbh.de)
  • Education: 8.3% (stedwardscatholicfirstschool.co.uk)

Geographic Concentration

  • Dominant Target: Germany (75% of recent victims).
  • Secondary Targets: United States, United Kingdom.
  • Assessment: The campaign is highly focused on the DACH region (Germany, Austria, Switzerland), specifically targeting critical infrastructure and social services.

Victim Profile

  • Company Size: Mid-Market to Large Enterprise. Victims include regional airports, large construction firms, and diocesan organizations.
  • Revenue Estimates: €10M – €500M+.

Observed Patterns

  • Posting Frequency: Spike in postings on July 6th (9 victims) suggests a "bulk release" of encryption deadlines or a coordinated affiliate action.
  • CVE Correlation: The targeting of German entities correlates strongly with the exploitation of CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC). These are common perimeter defenses in German enterprises. The gang is likely bypassing the firewall/VPN to gain initial access directly.
  • Supply Chain: The compromise of rtngmbh.de (Business Services) suggests potential supply chain attacks on service providers to access their clients.

3. Detection Engineering

SIGMA Rules (Consolidated YAML)

YAML
---
title: Potential Check Point Security Gateway IKEv1 Exploit (CVE-2026-50751)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential exploitation attempts of CVE-2026-50751 involving IKEv1 key exchange anomalies and authentication failures on Check Point Security Gateways.
author: Security Arsenal Research
date: 2026/07/06
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
definition:
    condition: selection
    selection:
        vendor|contains: 'Check Point'
        dst_port: 500
        protocol: 'IKE'
        status: 'failure'
        message|contains:
            - 'authentication failure'
            - 'ikev1'
            - 'invalid cookie'
falsepositives:
    - Legitimate misconfigured VPN peers
level: high
tags:
    - attack.initial_access
    - cve.2026.50751
    - safepay
---
title: Suspicious PowerShell Defender Tampering
id: e5f6g7h8-9012-34ab-cdef-567890123456
status: experimental
description: Detects commands often used by ransomware operators like SAFEPAY to disable Windows Defender and security logging prior to encryption.
author: Security Arsenal Research
date: 2026/07/06
references:
    - https://attack.mitre.org/techniques/T1562/001/
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4104
    filter_scripts:
        ScriptBlockText|contains:
            - 'Set-MpPreference'
            - 'Add-MpPreference'
            - 'Disable-BitLocker'
            - 'wevtutil cl' # Clear logs
    condition: selection and filter_scripts
falsepositives:
    - Administrative scripts run by IT
level: high
tags:
    - attack.defense_evasion
    - attack.execution
    - safepay
---
title: Massive File Deletion Shadow Copy Tampering
id: 9a8b7c6d-5e4f-3a2b-1c0d-0987654321ab
status: experimental
description: Detects the use of vssadmin or wmic to delete shadow copies, a common precursor to encryption by SAFEPAY affiliates.
author: Security Arsenal Research
date: 2026/07/06
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith:
            - '\vssadmin.exe'
            - '\wmic.exe'
    selection_cmdline:
        CommandLine|contains:
            - 'delete shadows'
            - 'shadowcopy delete'
    condition: selection and selection_cmdline
falsepositives:
    - System administration tasks (rare)
level: critical
tags:
    - attack.impact
    - safepay

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging indicators associated with SAFEPAY
// Focuses on SMB access and unusual administrative tool usage
let TimeFrame = 7d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Hunt for tools often used for lateral movement
| where ProcessName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe", "cmd.exe")
// Filter for network-related arguments or specific keywords used in staging
| where ProcessCommandLine has any ("192.168", "10.0", "172.16", "copy", "move", "xcopy", "robocopy", "/share", "\\\\")
// Correlate with network connection events to the same device
| join kind=inner (DeviceNetworkEvents
    | where Timestamp >= ago(TimeFrame)
    | where RemotePort in (445, 135, 139, 3389) // Common lateral movement ports
    | summarize ConnectionCount=count(), RemoteIPList=make_set(RemoteIP) by DeviceId, Timestamp
    ) on DeviceId
| project Timestamp, DeviceName, ProcessName, ProcessCommandLine, ConnectionCount, RemoteIPList, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Rapid Response Script

PowerShell
<#
.SYNOPSIS
    SAFEPAY Ransomware T-Minus Detection Script
.DESCRIPTION
    Scans a system for common precursors to ransomware execution associated with SAFEPAY TTPs:
    - Scheduled tasks created in the last 7 days
    - Modified Shadow Copy storage (potential tampering)
    - Suspicious PowerShell execution logs
#>

Write-Host "[+] Running SAFEPAY Pre-Encryption Diagnostic..." -ForegroundColor Cyan

# 1. Hunt for Recently Scheduled Tasks (Persistence)
Write-Host "\n[+] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | ForEach-Object {
    $task = $_
    $taskInfo = Export-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath
    if ($taskInfo.Triggers.StartBoundary) {
        $startDate = [datetime]::ParseExact($taskInfo.Triggers.StartBoundary, 'yyyy-MM-ddTHH:mm:ss', $null)
        if ($startDate -gt (Get-Date).AddDays(-7)) {
            Write-Host "[!] Suspicious Recent Task Found: $($task.TaskName) | Author: $($taskInfo.Principal.UserId) | Action: $($taskInfo.Actions.Execute)" -ForegroundColor Red
        }
    }
}

# 2. Check Volume Shadow Copy Service (VSS) Health
Write-Host "\n[+] Checking Volume Shadow Copy Storage..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadow copies found") {
        Write-Host "[!] WARNING: No Shadow Copies found. System may be vulnerable or already tampered with." -ForegroundColor Red
    } else {
        $shadowCount = ($vss | Select-String "Shadow Copy Volume").Count
        Write-Host "[+] Found $shadowCount Shadow Copies." -ForegroundColor Green
        # Check for recent deletions by looking at Event Log 4688 for vssadmin delete commands (requires Admin Audit Policy)
    }
} catch {
    Write-Host "[-] Error checking VSS: $_" -ForegroundColor DarkGray
}

# 3. Hunt for Defender Tampering in Event Logs
Write-Host "\n[+] Checking for Windows Defender Tampering Events (ID 5010, 1116)..." -ForegroundColor Yellow
try {
    $defenderEvents = Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -ErrorAction SilentlyContinue |
    Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) -and $_.Id -in (5010, 1116, 1117) }
    
    if ($defenderEvents) {
        Write-Host "[!] ALERT: Recent Defender Tampering or Malware Detection Events Found:" -ForegroundColor Red
        $defenderEvents | Format-List TimeCreated, Id, Message
    } else {
        Write-Host "[+] No critical Defender events in the last 24 hours." -ForegroundColor Green
    }
} catch {
    Write-Host "[-] Could not access Defender logs." -ForegroundColor DarkGray
}

Write-Host "\n[+] Diagnostic Complete. Review RED output for immediate investigation." -ForegroundColor Cyan


---

4. Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  1. Check Point VPN Logs: Immediate audit of VPN gateway logs for IKEv1 anomalies (CVE-2026-50751) or unusual authentication failures from non-corporate IPs.
  2. Cisco FMC Audit: Review firewall management center logs for unauthorized configuration changes or suspicious deserialization attempts (CVE-2026-20131).
  3. Service Account Usage: Hunt for unusual use of high-privilege service accounts, particularly those used for remote management or backup services.
  4. ScreenConnect Sessions: If ScreenConnect is in use, audit for sessions originating from unknown IPs or accounts.

Critical Assets Prioritized for Exfiltration

  • Employee & Patient Data: HR records, medical files (observed in recent healthcare victims).
  • Financial Data: Accounting ledgers, tax documents, bank transfer records.
  • Blueprints & Schematics: Construction and engineering design documents (common in construction sector targets).

Containment Actions (Ordered by Urgency)

  1. Isolate: Immediately isolate any devices triggering the SIGMA rules or identified in the KQL hunt.
  2. Block Perimeter: If a Check Point or Cisco vulnerability is suspected, block external IKE/VPN access temporarily or enforce MFA/geo-blocking until patched.
  3. Suspend Admin Accounts: Suspend all built-in and local administrator accounts on critical servers; enforce smart card or MFA for all administrative access.
  4. Preserve Evidence: Capture memory dumps of suspicious endpoints; export relevant firewall and VPN logs.

5. Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. If patching is not possible, apply vendor mitigations (e.g., disabling IKEv1, restricting management access).
  • Disable Internet-Facing RDP: Ensure RDP is not exposed to the internet. Enforce VPN with MFA for all remote access.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2/Certificate-based) for all VPN, email, and remote management portals.

Short-Term (2 Weeks)

  • Network Segmentation: Review and enforce strict segmentation between OT/IoT, user networks, and server infrastructure to limit lateral movement.
  • EDR Coverage Rollout: Ensure 100% coverage of EDR agents on all endpoints and servers, specifically prioritizing healthcare and construction sector assets.
  • Vulnerability Management: Initiate a focused scan for "ScreenConnect" instances and ensure they are updated to the latest patched version.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangsafepayransomwaregermanyinitial-accesscisa-kevhealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.