Aliases & Affiliation: SAFEPAY is a relatively new but aggressive Ransomware-as-a-Service (RaaS) operation that emerged in late 2025. While initially thought to be a rebrand of the defunct "Royal" group due to code similarities, their distinct negotiation portal and aggressive extortion tactics suggest a splinter cell or a new independent cartel.
Operational Model: Operates on a strict RaaS model with core developers maintaining the encryption payload and a network of affiliates handling initial access and exfiltration.
Ransom Demands: Demands range from $500,000 to $2 million USD, typically calculated based on victim revenue and the sensitivity of exfiltrated data. They accept Bitcoin and Monero.
TTPs & Dwell Time:
- Initial Access: Heavily relies on exploiting internet-facing applications and remote management software rather than phishing. Recent campaigns prioritize vulnerabilities in ConnectWise ScreenConnect and enterprise management consoles.
- Double Extortion: Standard operation involves data theft followed by encryption. They threaten to release data on their .onion site within 48-72 hours if contact is not established.
- Dwell Time: Short and violent. Average dwell time observed in recent campaigns is 2-4 days, indicating automated reconnaissance and rapid deployment tools.
Current Campaign Analysis
Sector Targeting: The latest wave (June 1-3, 2026) shows a diverse but specific targeting strategy:
- Technology & Services: 2 victims (soraris.it, lcnet.eu)
- Hospitality & Tourism: 1 victim (tavolaspa.com)
- Manufacturing: 1 victim (compactmould.com)
- Consumer Services: 1 victim (parsa-beauty.de)
Geographic Concentration: Primary focus on Southern and Central Europe. Italy is the hardest hit (3 victims), followed by Germany (2), Spain (1), and a single outlier in Canada (1).
Victim Profile: Targets appear to be mid-market organizations (SMEs) with annual revenues likely between $10M - $50M USD. These entities typically have robust internet-facing infrastructure (necessary for Tech/Hospitality) but may lack 24/7 SOC monitoring to detect intrusions via edge vulnerabilities.
Escalation Patterns: SAFEPAY utilizes a "flood" posting technique, releasing 6 victim profiles on June 1st and a 7th on June 2nd. This suggests a batch-processing approach to exploitation or a single affiliate targeting a specific vulnerability window.
CVE Connection: The correlation between the victim sectors (Tech/Managed Services) and the listed CVEs is strong:
- CVE-2024-1708 (ConnectWise ScreenConnect): High probability of use against the Technology victims (MSPs or IT-heavy firms) to gain remote code execution.
- CVE-2026-48027 (Nx Console): A very recent addition to KEV (May 27). Its usage suggests SAFEPAY affiliates are scanning for this specific management console vulnerability immediately upon disclosure.
- CVE-2025-52691 (SmarterMail): Likely used for initial access or credential harvesting at organizations running their own mail infrastructure (common in the targeted regions).
Detection Engineering
SIGMA Rules
YAML
---
title: Potential ScreenConnect Auth Bypass and Path Traversal
id: 9e1c4326-4c7f-4b3a-9c1d-8a7b6c5d4e3f
status: experimental
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/03
tags:
- cve.2024.1708
- initial.access
- web.application
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..%2f'
- '..%5c'
- 'Host='
filter:
cs-uri-query|contains: 'LegacyLogin.aspx'
condition: selection and not filter
falsepositives:
- Scanning activity
- Misconfigured proxies
level: high
---
title: SmarterMail Suspicious File Upload Activity
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential exploitation of CVE-2025-52691 via suspicious file extensions uploaded to SmarterMail web roots.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/03
tags:
- cve.2025.52691
- webshell
- initial.access
logsource:
category: webserver
detection:
selection_uri:
cs-uri-path|contains:
- '/Services/'
- '/Mails/'
selection_ext:
cs-uri-query|contains:
- '.aspx'
- '.ashx'
- '.asp'
selection_methods:
cs-method:
- 'POST'
condition: all of selection_
falsepositives:
- Legitimate administrative file management
level: high
---
title: SAFEPAY Lateral Movement Indicators
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects lateral movement patterns commonly associated with SAFEPAY affiliates using PsExec and WMI.
author: Security Arsenal Research
date: 2026/06/03
tags:
- attack.lateral_movement
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_psexec:
Image|endswith: '\psexec.exe'
CommandLine|contains: '-accepteula'
selection_wmi:
Image|endswith: '\wmic.exe'
CommandLine|contains: 'process call create'
selection_suspicious_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
Image|endswith: '\rundll32.exe'
condition: 1 of selection_
falsepositives:
- Administrative IT tasks
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for SAFEPAY precursors: ScreenConnect anomalies and lateral movement
let TimeRange = ago(7d);
let ScreenConnectBypass =
Syslog
| where TimeGenerated > TimeRange
| where ProcessName contains "WebServer" or Facility contains "ConnectWise"
| where SyslogMessage has "..%2f" or SyslogMessage has "..%5c" or SyslogMessage has "%00"
| project TimeGenerated, SourceIP, Message;
let LateralMovement =
DeviceProcessEvents
| where TimeGenerated > TimeRange
| where (FileName in~ ("psexec.exe", "wmic.exe", "wmi.exe")
or ProcessCommandLine has_any ("process call create", "-accepteula"))
and InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union ScreenConnectBypass, LateralMovement
| summarize count() by bin(TimeGenerated, 1h), SourceIP // coalesced fields
| order by count_ desc
PowerShell Response Script
PowerShell
# SAFEPAY T-Minus Hardening & Detection Script
# Usage: Run as Administrator on critical servers and workstations
Write-Host "[*] Checking for RDP exposure and unusual Scheduled Tasks..." -ForegroundColor Cyan
# 1. Check RDP Status (High Risk)
$RDP = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($RDP.fDenyTSConnections -eq 0) {
Write-Host "[!] ALERT: RDP is ENABLED on this host." -ForegroundColor Red
} else {
Write-Host "[+] RDP is disabled." -ForegroundColor Green
}
# 2. Hunt for Scheduled Tasks created in last 3 days (Persistence)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-3) }
if ($SuspiciousTasks) {
Write-Host "[!] ALERT: Recently Created Scheduled Tasks Detected (Last 3 Days):" -ForegroundColor Red
$SuspiciousTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
Write-Host "[+] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
# 3. Check for Shadow Copy Manipulation (Pre-Encryption)
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12345} -MaxEvents 5 -ErrorAction SilentlyContinue
if ($VssEvents) {
Write-Host "[!] WARNING: Recent VSS Admin Events detected. Verify no shadow copies were deleted." -ForegroundColor Yellow
} else {
Write-Host "[+] No critical VSS deletion events found." -ForegroundColor Green
}
Write-Host "[*] Scan complete." -ForegroundColor Cyan
---
# Incident Response Priorities
**T-Minus Detection Checklist:**
1. **Web Server Logs:** Immediately scan IIS/Apache logs for the CVE-2024-1708 path traversal signature (`..%2f`, `..%5c`) targeting `/WebServer` endpoints.
2. **Authentication Logs:** Audit logs for ScreenConnect and SmarterMail for successful logins from impossible travel geolocations (e.g., non-EU IP bursts).
3. **File System:** Monitor for mass file renames or sudden access patterns on network shares (especially `.pst`, `.sql`, `.mdb` files).
**Critical Assets for Exfiltration:**
Based on the current victim profile (Tech, Hospitality, Manufacturing), prioritize securing:
- Customer Relationship Management (CRM) databases.
- Intellectual Property (CAD designs, source code).
- Financial records (Payment Card Industry data for Hospitality victims).
**Containment Actions (Order by Urgency):**
1. **Isolate Management Interfaces:** Immediately disconnect ScreenConnect, Cisco FMC, and SmarterMail interfaces from the internet if patching status is unknown.
2. **Disable RDP:** Force disable RDP across the enterprise via GPO if not strictly required for operations.
3. **Revoke Cached Credentials:** Force a reset of service account passwords used for the affected management consoles.
---
# Hardening Recommendations
**Immediate (24 Hours):**
- **Patch Management:** Apply patches for **CVE-2024-1708** (ScreenConnect) and **CVE-2025-52691** (SmarterMail) immediately. If patching is not possible, implement the specific vendor mitigations (disabling the vulnerable service or restricting access via VPN/allow-list).
- **MFA Enforcement:** Ensure Multi-Factor Authentication (MFA) is enforced on *all* remote access and management portals, specifically email and RMM tools.
**Short-Term (2 Weeks):**
- **Network Segmentation:** Move management consoles (ScreenConnect, FMC) to a dedicated management VLAN that is inaccessible from the general corporate LAN and requires a jump host to access.
- **Edge Security:** Deploy Web Application Firewalls (WAF) rules specifically tuned to block directory traversal attempts against internet-facing servers.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangsafepayransomwarecve-2024-1708nx-consolesmartermaillateral-movement
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.