SafePay is a ransomware strain that encrypts files on infected systems and appends the “.safepay” extension to them. It then demands a ransom for decryption and threatens to release stolen sensitive data if payment is not made. Victims receive a ransom note titled “readme_safepay.txt”, which details the attackers’ demands and instructions for communication via the Tor network.
SafePay Ransomware Overview
| Threat Name | SafePay Ransomware |
|---|---|
| Threat Type | Ransomware, Crypto Virus, Files Locker |
| Encrypted File Extension | .safepay |
| Ransom Note Name | readme_safepay.txt |
| Free Decryptor Available? | No |
| Infection Symptoms | Files become inaccessible, file extensions are modified, ransom note appears, system slowdown |
| Distribution Methods | Malicious email attachments, torrent websites, malicious ads, software exploits |
| Potential Damage | File encryption, data theft, additional malware installation, financial loss |
| Attack Consequences | Loss of sensitive data, extortion threats, business disruption |
How SafePay Ransomware Works
Initial Infection
SafePay is commonly spread through:
- Phishing emails with malicious attachments or links
- Trojanized software downloads from unverified sources
- Exploited software vulnerabilities in outdated systems
- Malicious advertisements on compromised or deceptive websites
- Fake software updates and cracking tools
File Encryption
Once executed, SafePay scans the system for documents, images, databases, and other important files and encrypts them. Encrypted files are renamed with the ".safepay" extension.
For example:
- "report.docx" → "report.docx.safepay"
- "photo.jpg" → "photo.jpg.safepay"
3. Ransom Note Displayed
After encryption, SafePay generates a ransom note (readme_safepay.txt) in affected directories, informing victims about the attack and demanding payment.
Double Extortion Tactics
The attackers claim to have stolen sensitive corporate data and threaten to leak it unless the ransom is paid. Victims are given 14 days to respond before their data is publicly exposed.
SafePay Ransom Note Message
Greetings! Your corporate network was attacked by SafePay team.
Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you.
It was the misconfiguration of your network that allowed our experts to attack you, so treat this situation as simply as a paid training session for your system administrators.
We’ve spent the time analyzing your data, including all the sensitive and confidential information. As a result, all files of importance have been encrypted and the ones of most interest to us have been stolen and are now stored on a secure server for further exploitation and publication on the Web with an open access.
Now we are in possession of your files such as: financial statements, intellectual property, accounting records, lawsuits and complaints, personnel and customer files, as well as files containing information on bank details, transactions and other internal documentation.
Furthermore we successfully blocked most of the servers that are of vital importance to you, however upon reaching an agreement, we will unlock them as soon as possible and your employees will be able to resume their daily duties.
We are suggesting a mutually beneficial solution to that issue. You submit a payment to us and we keep the fact that your network has been compromised a secret, delete all your data and provide you with the key to decrypt all your data.
In the event of an agreement, our reputation is a guarantee that all conditions will be fulfilled. No one will ever negotiate with us later on if we don't fulfill our part and we recognise that clearly! We are not a politically motivated group and want nothing more than money. Provided you pay, we will honour all the terms we agreed to during the negotiation process.
In order to contact us, please use chat below, you have 14 days to contact us, after this time a blog post will be made with a timer for 3 days before the data is published and you will no longer be able to contact us.
To contact us follow the instructions:\n1) Install and run “Tor Browser” from hxxps://www.torproject.org/download/\n2) Go to -
Reserve Link: -\n3) Log in with ID: -
Contact and wait for a reply, we guarantee that we will reply as soon as possible, and we will explain everything to you once again in more detail.How to Remove SafePay Ransomware
Step 1: Disconnect from the Internet
Immediately disconnect affected systems to prevent further encryption and limit ransomware communication with its command and control (C2) server.
Step 2: Enter Safe Mode
- Restart your PC.
- Press F8 or Shift + F8 before Windows boots.
- Select Safe Mode with Networking.
Step 3: Scan with Anti-Malware Software
Use a reputable anti-malware tool like SpyHunter to detect and remove SafePay ransomware.
Step 4: Remove Malicious Registry Entries
- Press Win + R, type regedit, and press Enter.
- Navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Delete suspicious entries related to SafePay.
Step 5: Restore Encrypted Files
Option 1: Restore from Backup
If backups exist, restore files from an external or cloud backup.
Option 2: Try Windows Shadow Copies (If Enabled)
- Right-click on an encrypted file.
- Select Properties > Previous Versions.
- Choose a version and click Restore.
Option 3: Use Third-Party Decryptors
Check reputable cybersecurity sites (e.g., NoMoreRansom) for decryptors, though SafePay does not have a known free decryptor yet.
How to Prevent Future Ransomware Infections
- Backup Data Regularly – Use offline backups or cloud storage with version history.
- Enable Strong Security Software – Install SpyHunter or other trusted anti-malware solutions.
- Keep Software Updated – Patch operating systems, browsers, and applications.
- Avoid Suspicious Emails – Do not open attachments or click links from unknown senders.
- Use Strong Passwords & 2FA – Enable multi-factor authentication (MFA) on sensitive accounts.
- Disable Macros & Script Execution – Prevent automatic execution of malicious scripts in Microsoft Office and PowerShell.
- Restrict Administrative Privileges – Use limited user accounts to reduce risk.
- Educate Employees & Users – Conduct regular cybersecurity training to recognize phishing attempts.
Conclusion
SafePay ransomware is a dangerous cyber threat that not only encrypts files but also steals sensitive corporate data for extortion. Victims should not pay the ransom as there is no guarantee of data recovery. Instead, they should focus on removing the ransomware, restoring files from backups, and improving cybersecurity defenses to prevent future attacks.
