Global Malware Risks Identified in May 2025 Cybersecurity Report by Check Point
In the ever-evolving landscape of cybersecurity, a new threat has emerged as a significant concern for organizations worldwide - the SafePay ransomware group. According to Lotem Finkelstein, Director of Threat Intelligence at Check Point Software, the group has become the most prevalent actor on the top ransomware group list in May 2025.
The group's operational model is distinct, operating insularly and handling all phases of attacks internally, from initial compromise to data exfiltration and ransom negotiation. This requires defenders to prepare for sophisticated, end-to-end threat techniques.
One of SafePay's tactics involves heavy social engineering, combining spam campaigns with impersonation calls posing as internal IT, such as via Microsoft Teams, to request remote access and deploy PowerShell scripts that enable prolonged network presence. Employee awareness and training about these tactics are critical.
The group also employs common legitimate tools like FileZilla to exfiltrate data, complicating detection efforts. Monitoring unusual use of file transfer tools and outbound data flows is essential.
SafePay uses a double extortion model, encrypting victims' files and exfiltrating sensitive data. Incident response plans should include secure data backups, legal counsel readiness for negotiation, and rapid forensic capabilities.
Organizations should employ robust endpoint detection and response (EDR), network segmentation, and strict access controls to limit attacker lateral movement. Given SafePay's ability to maintain long-term network presence (sometimes weeks), these measures are crucial.
Sector-specific targeting is another concern. SafePay aggressively targets private sectors like financial, legal, insurance, healthcare, critical services, and increasingly public sector entities. These organizations should prioritize sector-specific threat intelligence and compliance-driven cybersecurity frameworks.
The education sector continues to be the most targeted industry in May 2025.
In light of these threats, Finkelstein emphasizes the importance of real-time threat intelligence and robust defenses to stay ahead of evolving attacks. Organizations must adopt proactive, multi-layered security measures, focusing on employee training against social engineering, advanced detection of legitimate tool misuse, rigorous network monitoring, strong access controls, and preparedness for double extortion extortion scenarios.
This comprehensive, proactive defense aligns with insights from Check Point Software Technologies’ Global Threat Index and related expert analyses throughout 2025. As the threat landscape continues to evolve, staying informed and vigilant is key to protecting against advanced ransomware threats like SafePay.
- Organizations should invest in software solutions that provide real-time threat intelligence to stay ahead of evolving attacks, such as those from the SafePay ransomware group.
- Given the increasing use of cloud-based infrastructure and AI technologies, cybersecurity events associated with these platforms should be a top priority for financial institutions and other vulnerable sectors.
- The operational model of the SafePay ransomware group involves using legitimate tools like FileZilla for data exfiltration, making it crucial to monitor unusual use of these tools and outbound data flows.
- MITigation strategies need to be multidimensional, encompassing employee training, advanced endpoint detection and response (EDR), network segmentation, strict access controls, and a robust incident response plan to handle double extortion scenarios.
- In the ever-changing landscape of cybersecurity, an effective cybersecurity infrastructure should focus on proactive defense against sophisticated, end-to-end threat techniques like those employed by the SafePay ransomware group.
