SafePay Ransomware Claims 9 Victims in 24h
Statistical Overview
Victim Totals
- This month: 155
- This quarter: 155
- Year to date: 5161
- Last 24h: 29
Quarterly Breakdown
Q1: 2631 | Q2: 2386 | Q3: 155 | Q4: 0
Ransomware activity continues trends observed earlier this quarter, with a volume of 29 new victims emerging in the last 24 hours. This recent surge is driven primarily by SafePay, followed by Akira and AiLock operations.
Introduction
Ransomware activity recorded 29 new victim disclosures in the last 24 hours. SafePay is the most active group, followed by Akira, AiLock, Chaos, and DragonForce. Geographically, the United States and Germany were the most frequently targeted, with sectors such as Technology/Software, Construction & Engineering, Professional Services, and Education observing activity.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors | |
|---|---|---|---|---|---|---|
| 1 | SafePay | 9 | Bmiprojects.de, Caritas-koblenz.de, Hahn-airport.de (+6) | United Kingdom, United States | Technology / Software, Construction & Engineering | |
| 2 | Akira | 4 | Chisholm persson & ball, Edge solutions | stone ridge payments, Excalibur rentals (+1) | United States | Professional Services, Technology / Software |
| 3 | AiLock | 2 | Richmont graduate university, Studio sardano | Italy, United States | Professional Services, Education | |
| 4 | Chaos | 2 | Aircreebec.ca, Gisy.com | United States, Canada | Energy & Utilities, Transportation & Logistics | |
| 5 | DragonForce | 2 | Amplesurveyor.com, Hive360.com | United Kingdom, Hong Kong | Professional Services, Construction & Engineering | |
| 6 | INC Ransom | 2 | samberger24.de, tecnocurva.com.br | Brazil, Germany | Healthcare, Automotive | |
| 7 | Booba | 1 | Ura group | Finland | Transportation & Logistics | |
| 8 | Bravox | 1 | Pb fiduciaire sa | Switzerland | Financial Services | |
| 9 | CMD | 1 | Mount Royal University | Canada | Education | |
| 10 | Interlock | 1 | Ymca of western north carolina | United States | Nonprofit | |
| 11 | Krybit | 1 | Seprec.gob.bo | Bolivia | Government / Public Sector | |
| 12 | Medusa Locker | 1 | Forces demo | Canada | Government / Public Sector |
Recent ransomware disclosures indicate that SafePay ransomware is the most active group, accounting for 9 victims, including critical infrastructure like Hahn-airport.de and social services organization Caritas-koblenz.de. Akira ransomware follows with 4 victims, primarily in Professional Services and Technology. The United States and Germany remain primary targets, though activity extends across Canada, the United Kingdom, and parts of South America and Europe. High-value targets include Mount Royal University (CMD), the YMCA of Western North Carolina (Interlock), and government entities in Bolivia (Krybit) as well as Canada (Medusa Locker).
Victim Distribution
By Country
- United States: 10
- Germany: 8
- Canada: 3
- United Kingdom: 2
- Hong Kong: 1
- Switzerland: 1
- Italy: 1
- Bolivia: 1
- Finland: 1
- Brazil: 1
By Industry
- Education: 2
- Property and Construction Consultancy: 1
- Nonprofit Organization Management: 1
- Law Practice: 1
- Information Technology Services: 1
- Information Technology and Services: 1
- Higher Education: 1
- Health & Beauty: 1
- Energy and Industrial Services: 1
- Digital Marketing and Web Development: 1
Victim distribution shows a continued concentration in North America and Western Europe, particularly the United States and Germany. The diverse range of affected industries suggests a broad, opportunistic targeting strategy rather than a focus on a single sector.
Ransomware News
Topline - The ransomware environment is changing with AI-driven attack methods, persistent activities from established collectives, and proactive counter-operations by state agencies.
Campaigns & Operations - The ShinyHunters group claimed responsibility for the Canvas LMS data breach, affecting approximately 15,000 institutions and exposing up to 275 million records, resulting in a reported ransom payment by Instructure. Concurrently, Canada's Communications Security Establishment (CSE) conducted offensive cyber operations against three foreign threat actors, including a ransomware gang, successfully disrupting infrastructure and wiping stolen data. Meanwhile, analysis redefines Scattered Spider as a decentralized cybercrime group employing shared TTPs across independent subclusters.
Vulnerabilities & TTPs - The JadePuffer incident shows a ransomware workflow exploiting CVE-2025-3248 in an internet-facing Langflow instance, utilizing natural-language reasoning for self-correction during its attack sequence. Scattered Spider subclusters employ tradecraft, including Okta-phishing, identity provider impersonation, social engineering tactics, SIM swapping, and the use of commercial Remote Access Trojans (RATs).
Analyst Note - These developments show a growing complexity in ransomware operations, ranging from autonomous AI-guided attacks and human-operated collectives to state-level disruptions.
Technical Takeaways
- SafePay continues to drive a volume of ransomware activity, impacting diverse sectors and geographies.
- Emerging ransomware attacks, such as JadePuffer, demonstrate AI-driven workflows and use vulnerabilities like CVE-2025-3248 in AI-adjacent platforms.
- Threat actor groups like Scattered Spider operate as decentralized collectives, sharing TTPs such as Okta-phishing, social engineering, and SIM swapping.
- Critical infrastructure, government entities, and educational institutions remain consistent targets for various ransomware groups.
- Government agencies are increasingly engaging in offensive cyber operations to disrupt ransomware infrastructure and mitigate threats.