Threat Actor Profile
High
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (11)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': '',
'firstseen': '2023-11-10T19:13:13+00:00',
'group': 'safepay',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-04-17T16:29:10.676976+00:00',
'locations': [{'available': False,
'fqdn': 'j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion',
'slug': 'http://j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion',
'title': 'SAFEPAY',
'type': 'DLS'},
{'available': True,
'fqdn': 'safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd.onion',
'slug': 'http://safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd.onion',
'title': 'Safepay Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion',
'slug': 'http://nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion',
'slug': 'http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion',
'title': 'SAFEPAY',
'type': 'DLS'},
{'available': False,
'fqdn': 'cqkrkmmivhakl3fwgxscurduu3znmroablt7jskxszkctixyseij5gad.onion',
'slug': 'http://cqkrkmmivhakl3fwgxscurduu3znmroablt7jskxszkctixyseij5gad.onion',
'title': 'SAFEPAY',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 2,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion',
'slug': 'http://j3dp6okmaklajrsk6zljl5sfa2vpui7j2w6cwmhmmqhab6frdfbphhid.onion',
'title': 'SAFEPAY',
'type': 'DLS'},
{'available': True,
'fqdn': 'safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd.onion',
'slug': 'http://safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd.onion',
'title': 'Safepay Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion',
'slug': 'http://nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion',
'slug': 'http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion',
'title': 'SAFEPAY',
'type': 'DLS'},
{'available': False,
'fqdn': 'cqkrkmmivhakl3fwgxscurduu3znmroablt7jskxszkctixyseij5gad.onion',
'slug': 'http://cqkrkmmivhakl3fwgxscurduu3znmroablt7jskxszkctixyseij5gad.onion',
'title': 'SAFEPAY',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 2,
'ransomware_live_group': 'safepay',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['Invoke-ShareFinder'],
'Exfiltration': ['7-Zip', 'WinRAR'],
'LOLBAS': ['CMSTPLUA',
'dllhost.exe',
'Regsvr32.exe'],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/safepay',
'victims': 454,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['Invoke-ShareFinder'],
'Exfiltration': ['7-Zip', 'WinRAR'],
'LOLBAS': ['CMSTPLUA', 'dllhost.exe', 'Regsvr32.exe'],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'The threat actor accessed the '
'endpoint via Remote Desktop '
'Protocol (RDP) using valid '
'credentials.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Utilized PowerShell scripts, '
'such as ShareFinder.ps1, to '
'execute commands on the '
'compromised system.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'},
{'technique_details': 'Employed WMI commands to '
'execute processes on remote '
'systems.',
'technique_id': 'T1047',
'technique_name': 'Windows Management '
'Instrumentation'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Maintained access through the '
'use of compromised valid '
'accounts.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'Escalated privileges by '
'leveraging valid domain '
'accounts.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Disabled Windows Defender '
'using a sequence of LOLBin '
'commands to evade detection.',
'technique_id': 'T1562.001',
'technique_name': 'Disable or Modify Tools'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'Employed tools like lsassy.py '
'to dump credentials from the '
'operating system.',
'technique_id': 'T1003',
'technique_name': 'OS Credential Dumping'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Conducted domain trust '
'discovery using commands like '
"'net group domain admins "
"/domain' and 'nltest.exe'.",
'technique_id': 'T1482',
'technique_name': 'Domain Trust Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Moved laterally within the '
'network using Remote Desktop '
'Protocol (RDP) and Windows '
'Management Instrumentation '
'(WMI).',
'technique_id': 'T1021',
'technique_name': 'Remote Services'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'Archived files using WinRAR '
'with specific command-line '
'options to prepare data for '
'exfiltration.',
'technique_id': 'T1560',
'technique_name': 'Archive Collected Data'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Utilized MEGASync to '
'exfiltrate data over a web '
'service.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration Over Web Service'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Encrypted files and appended '
"the '.safepay' extension, "
'leaving a ransom note named '
"'readme_safepay.txt'.",
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'Deleted volume shadow copies '
'to inhibit system recovery.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'}]}],
'url': 'https://www.ransomware.live/group/safepay',
'victims': 454,
'vulnerabilities': []}