SafePay Ransomware Activity Targets Diverse Sectors (6 Victims)
Statistical Overview
Victim Totals
- This month: 50
- This quarter: 1596
- Year to date: 4221
- Last 24h: 23
Quarterly Breakdown
Q1: 2631 | Q2: 1596 | Q3: 0 | Q4: 0
Ransomware activity reported 23 new victims in the last 24 hours. The quarterly total of 1596 shows continued threat actor activity, with the last 24 hours having a moderate number of new victim disclosures.
Introduction
In the last 24 hours, ransomware groups disclosed 23 new victims. SafePay was the most active with six victims, followed by BlackX with four. Groups like Nova (RALord) and CoinbaseCartel were also active. Primary targets included entities in Transportation & Logistics, Professional Services, and Healthcare. Attacks concentrated in the United States and Europe, especially Germany, Italy, and France.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | SafePay | 6 | Compactmould.com, Lcnet.eu, Parsa-beauty.de (+3) | Germany, Italy | Transportation & Logistics, Professional Services |
| 2 | BlackX | 4 | African national congress, Case.law, Elektroverband-bayern (+1) | Germany, United States | Healthcare, Professional Services |
| 3 | CoinbaseCartel | 2 | Cambridge mobile telematics, Panasonic.aero | United States | Transportation & Logistics, Technology / Software |
| 4 | Krybit | 2 | Activ88-interim.com, Www.transbras.com.gt | Guatemala, France | Professional Services, Transportation & Logistics |
| 5 | Nova (RALord) | 2 | Everlite concept, Ibena textilwerke | Germany, France | Construction & Engineering, Manufacturing |
| 6 | Qilin | 2 | Clinica maitenes, Nova medical products | United States, Chile | Healthcare |
| 7 | APT73 | 1 | Elections.mia.gov.am from wolves of turan | Armenia | Government / Public Sector |
| 8 | Anubis | 1 | Power & tel | United States | Telecommunications |
| 9 | Interlock | 1 | Cold front distribution | United States | Agriculture & Food |
| 10 | Shadowbyt3s | 1 | Cropwise (syngenta group) | Switzerland | Agriculture & Food |
| 11 | Space Bears | 1 | Stellar | France | Telecommunications |
SafePay led activity with six new victims, as reported in SafePay ransomware's operations. It primarily impacted Transportation & Logistics and Professional Services across Germany and Italy. BlackX followed with four victims, targeting entities in Healthcare and Professional Services, including the African National Congress, and showing activity in Germany and the United States. CoinbaseCartel and Krybit both focused on Transportation & Logistics and Professional Services, with victims in the United States, Guatemala, and France. Overall, 11 groups contributed to the victim count, with varied targeting strategies across multiple geographies.
Victim Distribution
By Country
- United States: 6
- Germany: 4
- Italy: 3
- France: 3
- Switzerland: 1
- South Korea: 1
- South Africa: 1
- Armenia: 1
- Guatemala: 1
- Chile: 1
By Industry
- Consumer Goods: 1
- Telecommunications Equipment Distribution: 1
- Software Development: 1
- Legal Research: 1
- Hospital & Health Care: 1
- Grocery and Foodservice Distribution: 1
- Aviation & Aerospace: 1
- Agricultural Technology and Innovation: 1
- Plastic Surgery: 1
- Political Organization: 1
The United States remains the most targeted country, followed by European nations such as Germany, Italy, and France. Industry targeting is fragmented, with Professional Services and Transportation & Logistics frequently appearing among impacted sectors. This suggests broad, opportunistic targeting by multiple ransomware groups.
Ransomware News
Topline - Recent threat intelligence shows evolving ransomware tradecraft, exemplified by a new variant, and demonstrates the importance of strong incident response methods.
Campaigns & Operations - Analysis of the EndPoint ransomware, a Midnight-era variant built on the Babuk framework, shows it targets Windows, ESXi, and NAS environments. This ransomware uses a double-extortion model, encrypting data with ChaCha20 and an in-house RSA operation for session key protection. EndPoint specifically targets folders, network shares, and file extensions, while terminating key processes and deleting volume shadow copies. This shows a focused approach to data encryption and system disruption.
Vulnerabilities & TTPs - EndPoint ransomware's methods include terminating critical backup and security services such as VSS, SQL, Veeam, and Sophos, along with deleting volume shadow copies via vssadmin. To counter these tactics, effective incident response techniques focus on fast, data-driven detection using tools like EDR, SIEM, SOAR, and XDR. They also use network segmentation and isolation to contain threats and prevent lateral movement.
Analyst Note - These developments show organizations continually need to understand emerging ransomware variants and maintain agile, complete incident response frameworks to mitigate their impact.
Technical Takeaways
- SafePay is the most active group, accounting for 6 of the 23 new victims. It primarily targets Transportation & Logistics and Professional Services.
- BlackX targets diverse sectors, including Healthcare, Professional Services, and a political organization.
- Multiple ransomware groups, including CoinbaseCartel, Krybit, and Nova (RALord), show varied targeting across sectors such as Transportation & Logistics, Professional Services, and Manufacturing.
- Geographically, the United States, Germany, Italy, and France are the most frequently impacted regions.
- The newly analyzed EndPoint ransomware variant uses the Babuk framework to target Windows, ESXi, and NAS environments. It uses ChaCha20/RSA encryption and aggressive tactics such as
vssadminfor shadow copy deletion and service termination.
