Menu
Browse

Cyber Threat Actor: Safepay

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
3 incidents
Profile

The threat actor operating under the aliases SafePlay and Safepay is a ransomware group distinguished by attacks that prioritize large-scale data exfiltration and public leakage to exert pressure on victims. Their operations have focused on major corporations within the United States, specifically targeting business services providers and logistics firms. The strategic objective is unequivocally financial, achieved through a double extortion model where data is stolen prior to encryption and subsequently threatened for release unless a ransom is paid. This is evidenced in their attack on Ingram Micro, where 3.5 terabytes of sensitive personal data were stolen and leaked after operations were restored without payment, and in their breach of Conduent, where 8.5 terabytes of data including Social Security numbers and health records were exfiltrated from systems accessed over several months. The geographic impact of their campaigns is heavily concentrated in the U.S., with state-level consequences such as the disruption of Wisconsin and Oklahoma's EBT services and the exposure of millions of residents in Texas and Oregon, indicating a focus on entities that handle vast quantities of public and personal data.

The group's tactics, techniques, and procedures reveal a pattern of prolonged, stealthy network presence followed by massive data theft. They gain unauthorized access and maintain it for extended periods, often months, before deploying ransomware, allowing for the aggregation of enormous data volumes. Their tooling style centers on ransomware deployment coupled with the systematic exfiltration of terabytes of sensitive information, which they then publish on dedicated dark web leak sites if ransom demands are unmet. No specific malware families or initial access vectors are detailed in the reported incidents, but the operational hallmark is the combination of data destruction threats with the certain, public exposure of stolen records. The Conduent incident stands as their most significant reported campaign, potentially the largest U.S. data breach in history, affecting up to 26 million individuals across multiple states and stemming from their infiltration of a critical business services contractor for health insurers. The Ingram Micro attack further illustrates their capacity to paralyze logistical operations for a week while simultaneously stealing and leaking the personal data of tens of thousands. Publicly available information does not attribute these activities to any state sponsor or criminal consortium, leaving their organizational structure and affiliations undetermined.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources