SafePay ransomware zeroes in on smaller firms
Cyber intelligence firm Flare has released an analysis of the SafePay ransomware operation that indicates most victims never disclose attacks and that many of the most damaging incidents emerge only after affected companies collapse.
The study examines 500 verified victim records linked to SafePay's leak infrastructure on the dark web. The group, which appeared in late 2024 and expanded its activity through 2025, uses double extortion by stealing data and encrypting systems, then naming victims on Tor-based leak sites when negotiations stall.
Flare's researchers describe these leak portals as an informal disclosure layer that reveals incidents which do not appear in regulatory filings, corporate announcements or public reports.
The dataset suggests that SafePay, like other contemporary ransomware groups, operates a systematic extortion model aimed at organisations under regulatory and operational pressure rather than only those with the largest balance sheets.
SMBs in the crosshairs
More than 90% of identified SafePay victims are small or medium-sized businesses, according to the analysis. These organisations often generate enough revenue to make ransom payment feasible but lack the resilience to sustain prolonged outages in core systems.
More than half of the victims have estimated annual revenue below USD$10 million. Flare's analysis indicates a focus on firms that face immediate disruption risk and limited financial buffers.
Roughly two-thirds of the victims operate in service industries. These include professional services providers, healthcare organisations, retailers and industrial small and medium-sized enterprises. The report links this pattern to deliberate targeting of sectors that depend on continuous IT operations and handle sensitive data.
The findings align with warnings from regulators and law enforcement that public statistics substantially understate the true volume of ransomware incidents. Agencies including ENISA and the FBI have stated that official notifications and company announcements represent only a portion of attacks.
Geographic concentration
Victims in the dataset cluster in North America and Western Europe. The United States accounts for 158 cases and Germany for 76. The report links this regional concentration to the combination of high economic output and extensive data and security regulation.
These jurisdictions enforce regimes such as GDPR, NIS2, HIPAA and mandatory breach reporting that raise exposure when data theft becomes public. Flare's analysis states that SafePay and similar groups exploit this environment by threatening disclosure that may trigger investigations, fines, litigation and reputational damage.
The study concludes that ransomware operators now look for regulatory pressure points. These include organisations with extensive digital operations, obligations to protect personal or sensitive information, and limited in-house security resources.
Hidden exposure
Flare's researchers say that SafePay's leak records contain evidence that often never appears in official channels. This includes information on prior undisclosed ransomware incidents in supply chains, historical compromise of acquisition targets and attack patterns that insurers do not see through standard self-reported control assessments.
The company states that leak-site data provides an additional source of intelligence for risk assessments and due diligence exercises. It can show whether a supplier, partner or prospective target has previously been listed as a victim by a ransomware group even if no public breach notice exists.
Flare positions the SafePay dataset as an example of the insights that can emerge from systematic monitoring of dark web infrastructure associated with extortion groups.
