24 min read

How SafePay is Targeting Australian Organisations with Borrowed Code and Calculated Precision

Prepared by: Nick Thanos | Last update: 12 May 2026

Threat actor profile: Safepay

Threat actor status: ACTIVE

A ransomware group that first appeared in October 2024 has built a track record of targeted, independent attacks across the Asia-Pacific region and Australian organisations remain firmly in its sights. SafePay operates without a partner affiliate network, relies on proven ransomware code built from the leaked LockBit source, and has demanded ransoms in the multi-million-dollar range against a growing list of victims. Triskele Labs has conducted direct incident response to three SafePay-related intrusions, providing rare firsthand insight into how this group works and what defenders need to do about it.

Who is SafePay?

SafePay is a ransomware group first observed in October 2024. Since its emergence, it has targeted IT service providers, civil engineering firms, statistical services organisations, and dairy supply chain businesses, demonstrating that no industry vertical sits outside its scope.

What sets SafePay apart from many of its contemporaries is its deliberate decision to operate independently. The group's dark web leak site, where it publishes stolen data to pressure victims who refuse to pay, carries the explicit statement that SafePay has never provided, and does not provide, ransomware-as-a-service (RaaS).

Unlike groups such as RansomHub or Qilin, which rely on networks of affiliate operators who carry out intrusions in exchange for a share of ransom payments, SafePay maintains direct control over its operations.

This model reduces the operational security risks that come with managing affiliates, allows the group to move quickly, and limits the number of potential points of failure.

The ransomware binaries used by the group are based on the leaked LockBit source code; a codebase that has circulated within criminal ecosystems since early 2024 and has since been repurposed by multiple threat actors. Rather than building from scratch, SafePay has leveraged this proven foundation, which allowed the group to deploy a functional, effective ransomware capability from a very early stage of its operation.

SafePay uses double extortion tactics: before encrypting a victim's systems, the group first exfiltrates sensitive data. That data is then used as additional leverage - pay the ransom, or your information gets published. This two-pronged approach is now standard practice among serious ransomware groups and significantly raises the stakes for any victim organisation.

Based on available information, SafePay has targeted victims across multiple regions, with a notable concentration in Europe and the Asia-Pacific. Activity has also been observed in North America. Since 2025, the group has been linked to several high-profile compromises, some involving ransom demands running into the millions of dollars.

Triskele Labs has conducted direct response to two SafePay-related incidents, offering rare insight into the group's operational behaviour. These engagements form the basis of the analysis below.

How Does SafePay Operate?

Across the incidents investigated by Triskele Labs, a consistent and methodical pattern of intrusion emerged.

Initial Access: Exposed Edge Services and Compromised Credentials

The primary way SafePay operators enter victim environments is through vulnerabilities in edge devices, the systems at the boundary of a network that face the public internet. This includes VPN gateways, firewalls, and Remote Desktop Gateway (RDG) servers. A Remote Desktop Gateway is a server that allows external users to connect to internal systems using Microsoft's Remote Desktop Protocol (RDP); when left exposed without adequate protections, these servers are a well-known target for ransomware groups.

In one of the incidents responded to by Triskele Labs, the threat actor gained initial access via a VPN connection before moving into the internal environment. This is consistent with the broader pattern observed across the FY 2024-25 financial year, in which exposed VPN services without Multi-Factor Authentication (MFA) were the single largest initial access vector across all ransomware engagements.

Beyond exploiting edge device vulnerabilities, SafePay has also been observed using compromised credentials obtained through phishing campaigns, Initial Access Brokers (third parties who sell stolen access into corporate networks), and publicly available credential dumps. This gives the group flexibility in how it gains a foothold and makes it harder to predict where an intrusion will originate.

Privilege Escalation and Lateral Movement

Once inside the environment, SafePay operators use valid domain account credentials; legitimate usernames and passwords belonging to internal accounts, to escalate privileges and move laterally through the network. Remote Desktop Protocol (RDP) is commonly used for this lateral movement, allowing the threat actor to hop between systems and identify high-value targets. RDP is a standard Microsoft tool that allows users to remotely control another computer; in the wrong hands, it becomes an effective mechanism for traversing internal networks without immediately triggering alarms.

Data Collection and Exfiltration

Before encryption is deployed, SafePay collects and stages sensitive data from within the victim environment. The method of exfiltration varies across engagements, ranging from dedicated transfer tooling to exfiltration conducted directly over the VPN connection used for initial access.

Data is typically staged locally first; collected and consolidated in a central location within the environment before being transferred out. The RDP clipboard has also been observed as a staging mechanism, allowing the threat actor to copy and paste files between systems during an active RDP session prior to exfiltration.

Where dedicated tooling is used, SafePay has been observed deploying a combination of file compression and file transfer applications to package and move data out of the network. FileZilla is a free FTP (File Transfer Protocol) client software that transfers files between computers and servers; in one of the incidents responded to by Triskele Labs, it was the primary tool used to move data off the server following initial VPN access. Rclone is an open-source, command-line program often described as "rsync for cloud storage"; in a ransomware context, it is repurposed to quietly transfer stolen data to attacker-controlled cloud infrastructure, often blending in with what might appear to be routine backup or storage activity. WinRAR and 7-Zip are both file archiving tools that compress files into smaller packages, making it faster and less conspicuous to move large volumes of data out of a network; SafePay has been observed using both to package data prior to exfiltration.

Notably, SafePay operators have also demonstrated the ability to exfiltrate data without the use of any dedicated transfer tooling. In one observed engagement, data was moved directly over the VPN connection, using the same channel as initial access, with no tools such as Rclone or FileZilla observed. Organisations relying solely on tooling-based detections cannot assume they will receive an alert before data has already left the environment.

Defence Evasion

SafePay operators take deliberate steps to reduce the chances of detection. This includes deleting files and artefacts left behind during the intrusion to remove forensic evidence, as well as modifying or disabling security tools; such as antivirus or endpoint detection software, to prevent alerts from firing during the attack.

The group also uses anonymising VPN services, Proton VPN and Mullvad, to mask the true origin of its activity. Proton VPN and Mullvad are legitimate privacy-focused VPN services; SafePay uses them to route its traffic through servers in trusted jurisdictions, making attribution more difficult and reducing the effectiveness of geo-based detection controls. This is consistent with the broader trend observed in FY25, where 66% of threat actor IP addresses identified by Triskele Labs were located within Five Eyes countries, not Russia or China, as many organisations expect.

AnyDesk, a legitimate remote desktop application that allows users to access and control computers from another location, has also been observed in use by SafePay. Threat actors commonly repurpose such tools because they are not inherently malicious and are frequently used by IT teams, making them less likely to generate alerts.

Encryption and Impact

The final stage of a SafePay intrusion is the deployment of ransomware. The group uses a dynamic-link library file, Locker.dll, which performs the encryption or locking function across the victim's systems. Once this stage is reached, data is encrypted and systems are rendered inaccessible, triggering the visible disruption that typically signals to the victim that an incident has occurred.

By this point, the threat actor has already completed its primary objectives: data has been exfiltrated and leverage has been established. Encryption is the final trigger, designed to force a decision from the victim.

Practical Defences Against SafePay Intrusions

The consistent entry points and techniques Akira affiliates use mean there are clear, actionable controls that reduce risk materially.

Enforce MFA across all external-facing services without exception.
SafePay's primary entry point is exposed edge services. VPN gateways, RDG servers, and any other service accessible from the public internet should require Multi-Factor Authentication. MFA requires a user to verify their identity through two or more methods, for example, a password plus a one-time code sent to a phone. Without it, a stolen username and password is all a threat actor needs to gain access. This single control, consistently applied, would prevent the majority of observed SafePay intrusions.

Note that Remote Desktop Gateway servers do not natively support MFA, additional configuration and planning is required beyond standard IT management arrangements. Organisations should seek specialist advice if they are uncertain whether their RDG is adequately protected.
Audit credential exposure and eliminate password reuse.
SafePay uses compromised credentials from phishing campaigns, credential dumps, and Initial Access Brokers. Organisations should assess whether staff credentials have been exposed in known data breaches, enforce strong and unique passwords across all accounts, and ensure that domain administrator credentials are not reused across multiple systems. Shared drives should not be used to store credentials, spreadsheets of usernames and passwords accessible to anyone on the network remain a persistent finding in DFIR investigations.
Monitor for FileZilla, Rclone, WinRAR, 7-Zip and other exfiltration tooling.
These tools are either free or widely available, and their presence in an environment can blend in with legitimate use. Security teams should build detections that flag unexpected use of file transfer tools, particularly in combination with large data staging activity or unusual outbound data volumes. Because these tools are not inherently malicious, detection requires behavioural context, where are files being sent, at what volume, and by which accounts.
Monitor for anonymising VPN usage within the environment.
SafePay operators use Proton VPN and Mullvad to mask their activity. Connections made through these services originate from IP addresses associated with trusted jurisdictions, meaning standard geo-blocking provides little protection. Monitor for connections to known VPN service infrastructure and be alert to traffic patterns that suggest data is being routed through anonymising services.
Restrict lateral movement pathways, especially RDP.
SafePay uses RDP to move through environments once access has been established. Limit which systems can connect to each other via RDP, enforce authentication controls for RDP sessions, and monitor for RDP activity outside of normal patterns, particularly sessions initiated from unexpected source systems or outside business hours.
Deploy and maintain endpoint detection and response (EDR) tooling across every asset.
Basic antivirus does not detect the kind of activity SafePay engages in once inside a network; credential access, lateral movement, data staging, and defence evasion. EDR solutions provide deeper behavioural visibility. Critically, EDR must be deployed consistently across all systems. Threat actors routinely identify hosts without security tooling and use those as staging grounds for their activity.
Review traffic logs and internet bandwidth utilisation for unusual patterns.
Not all exfiltration uses specific tooling. As observed in one SafePay engagement, data can be moved directly over an established VPN connection without the use of dedicated transfer tools such as Rclone or FileZilla. In these cases, tooling-based detections will not fire. Organisations should monitor for anomalous outbound data volumes, unexpected spikes in bandwidth utilisation and traffic patterns that fall outside normal business activity, particularly on VPN connections and outside of business hours.
Ensure security alerting is monitored around the clock.
Ransomware groups including SafePay tend to conduct their most disruptive activity outside of business hours. If security alerts are only reviewed during a standard working day, a threat actor has a large window in which to operate undetected. Whether through an internal security operations capability or an external managed detection and response provider, continuous monitoring is essential to detect and respond to threats before encryption is deployed.

Summary

SafePay is an active and emerging ransomware threat with a direct presence in the Australian market. Unlike many of its peers, the group operates independently; without an affiliate network, which gives it tighter operational control and makes its behaviour more consistent and predictable. Its ransomware payload is built on the proven LockBit codebase, its intrusions begin through exposed edge services and compromised credentials, and its exfiltration relies on widely available tools including FileZilla, Rclone, WinRAR, and 7-Zip.

Triskele Labs has responded directly to two SafePay incidents, providing firsthand visibility into the group's methods. The pattern is deliberate and methodical: gain access through an exposed VPN or RDG, move laterally using valid account credentials and RDP, collect and stage sensitive data, exfiltrate it using common file transfer tools, and then encrypt systems to force a decision. Anonymising VPNs and defence evasion techniques reduce the likelihood of detection during the attack.

The group is actively targeting organisations across the Asia-Pacific region and has demonstrated a willingness to pursue high-value targets with ransom demands in the multi-million-dollar range. The defensive actions most likely to disrupt a SafePay intrusion are also the most foundational: enforce MFA on all external-facing services, monitor for exfiltration tooling and anomalous data movement, and ensure your security alerting is watched around the clock.

MITRE ATT&CK Mapping

TACTIC	TECHNIQUE	DESCRIPTION
Initial Access	T1078.002 – Valid Accounts: Domain Accounts	Obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defence Evasion.
Initial Access	T1133 – External Remote Services	Leverage external-facing remote services to initially access and/or persist within a network.
Defence Evasion	T1070.004 – Indicator Removal: File Deletion	Delete files left behind by the actions of their intrusion activity.
Defence Evasion	T1562.001 – Impair Defences: Disable or Modify Tools	Modify and/or disable security tools to avoid possible detection of their malware/tools and activities.
Lateral Movement	T1021.001 – Remote Services: Remote Desktop Protocol	Use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).
Collection	T1005 – Data from Local System	Using a Command and Scripting Interpreter, such as cmd, to interact with the file system and gather information.
Collection	T1074.001 – Data Staged: Local Data Staging	Stage collected data in a central location or directory on the local system prior to Exfiltration.
Exfiltration	T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage	Exfiltrate data to a cloud storage service rather than over their primary command and control channel.
Impact	T1486 – Data Encrypted for Impact	Encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Common Utilised Tooling:

TOOL	PURPOSE
FileZilla	FTP client used to transfer files between systems and servers; repurposed for data exfiltration
Rclone	Command-line cloud storage sync tool; repurposed for large-scale data theft to cloud infrastructure
WinRAR	File compression tool used to package data prior to exfiltration
7-Zip	Free, open-source file archiver used to compress and package files for exfiltration
Locker.dll	Dynamic-link library file used to perform encryption of victim systems
AnyDesk	Legitimate remote desktop application repurposed for persistent access
Proton VPN	Privacy-focused VPN service used to anonymise attacker traffic and origin
Mullvad	Privacy-focused VPN service used to anonymise attacker traffic and origin