TL;DR for defenders. SafePay gets in through two doors above all: an exposed edge device (VPN, firewall, RDP gateway) with a known unpatched flaw, or a valid login reused over remote access - often using credentials harvested by infostealer malware from a staff or contractor machine. Once inside it lives off the land - PsExec and WinRM to move, native tooling to disable defences and delete the shadow copies and backups - then exfiltrates with rclone, WinRAR, 7-Zip and FileZilla before it encrypts. Four Essential Eight controls do most of the work against this: MFA on every external login, prompt patching of internet-facing services, application control plus EDR to catch the tooling, and tested, offline backups so encryption is a bad day rather than a closed agency. None of it is expensive. All of it is in the guide.
Why this one matters in Australia right now
SafePay is not a hypothetical and it is not someone else's problem in another hemisphere. Vendor tracking through 2025 placed it among the fastest-rising ransomware operations in the world, and the country lists in those reports consistently name Australia alongside the United States, Germany, the UK and Canada. Leak-site monitoring this month shows the crew continuing to add Australian organisations, including in consumer-facing sectors like real estate. That is the trigger for this writeup - but the trigger is all the leak site gives us. What follows is built from vendor incident response, not from anyone's stolen data.
The pattern that matters for small and mid-sized businesses is the victimology. SafePay is not picky about industry; what its victims share is a posture, not a sector. They are organisations with a real internet footprint - a remote-access portal, a VPN appliance, an edge firewall - but without a 24/7 security team watching it. That is the gap a financially motivated crew is built to exploit, and it is precisely the gap the Essential Eight was written to close.
A note on sourcing and scope. Everything below is drawn from public reporting - vendor analyses from Check Point, Bitdefender, ThreatLocker, Acronis and Picus, among others, plus the ASD's Essential Eight guidance. We do not name, reference or reconstruct any individual Australian victim's breach, and we draw nothing from ransomware leak sites or infostealer marketplaces beyond the bare fact that a crew is active here. The trackers tell us SafePay is operating against Australian organisations; the defensive detail comes from responders who handled these intrusions. This is a defensive profile: it explains the playbook only to the depth a defender needs to break it.
Who SafePay is
SafePay surfaced in late 2024 and scaled fast, with vendor counts putting it past 200 claimed victims inside its first year. What makes it worth a defender's attention is not novelty - much of its tradecraft echoes the leaked LockBit and ALPHV toolsets - but its operating model. Unlike the dominant ransomware-as-a-service crews, SafePay runs as a centralized, closed group: it does not appear to recruit affiliates, and it keeps its own infrastructure, intrusions and negotiations in-house.
That centralization is, counter-intuitively, good news for defenders. An affiliate model like INC Ransom's produces a menu of techniques that vary intrusion to intrusion; a closed crew tends to reuse the same tooling and the same sequence, which makes its behaviour more predictable to detect. The bad news is consistency in the other direction - the group moves quickly, frequently from intrusion to encryption within a short window, so the margin for a slow response is thin.
Like every serious crew today, SafePay runs double extortion: it steals data first, then encrypts, then threatens to publish on a leak site if the ransom goes unpaid. The exfiltration is not an afterthought - for many victims it is the more damaging half, because backups solve encryption but do nothing about records already in someone else's hands. Hold that thought for the controls section: stopping the intrusion early matters more than being able to restore.
Why real-estate SMBs are a soft, target-rich vertical
Australian real estate is one of the largest small-business sectors in the country, and structurally it looks like exactly what these crews want. Four features stack up:
- A deep well of sensitive personal data. A single agency holds tenancy applications with passports, driver licences, payslips and bank statements; vendor and purchaser identity documents; and landlord financial details. That is a double-extortion goldmine - the leak threat has real teeth when the stolen files are other people's identity documents.
- Money that actually moves. Agencies run trust accounts and settle large sums. That makes them attractive not only to ransomware but to the invoice- and settlement-redirection fraud that often rides in on the same initial access. A foothold in a sales inbox is worth real money before any encryptor is dropped.
- Franchise sprawl with uneven security. Many brands are hundreds of independently owned and operated offices under one banner, each running its own IT and its own Microsoft 365 tenant. The brand is shared; the security maturity is not. One weak office is a foothold, and a trusted brand name is a convincing lure for phishing the others.
- Thin or outsourced IT. The typical agency has no in-house security team and often a part-time managed service provider. There is rarely anyone watching logs at 2am, which is precisely when the back half of a ransomware intrusion runs.
None of that means SafePay specifically hunts real estate - it means the sector's everyday posture matches the profile these crews convert most easily. A vertical full of data-rich, cash-handling, thinly-defended SMBs sitting under recognisable national brands is a soft target whether or not any one crew set out to find it.
The playbook, stage by stage
The sequence below is the common shape across publicly documented SafePay intrusions. For each stage, the control that breaks it is named inline and linked into the relevant part of the guide.
1. Initial access - an unpatched edge device, or a reused login
SafePay favours two entry routes. The first is exploiting a known vulnerability in an internet-facing device - VPN gateways, firewalls and Remote Desktop Gateway servers are the recurring theme in incident reports. The second, and increasingly the default across the whole ransomware ecosystem, is simply logging in: reusing valid credentials against an exposed service like RDP or a VPN portal.
Where those valid credentials come from deserves its own sentence, because it is the route most relevant to a real-estate SMB. Infostealer malware - picked up from a cracked app, a malicious download or a personal device that also logs into work - quietly harvests every saved browser credential and session and ships them to a marketplace. A property manager's saved login to the agency portal, or a contractor's reused password, becomes a clean front-door key sold in bulk. No exploit, no malware on the corporate network at the point of entry, just a correct username and password.
Two Essential Eight controls dominate this stage. Multi-factor authentication on every external login turns a stolen or harvested password from a front-door key into a dead end - it is the single highest-leverage control against the "just log in" route, which is the one growing fastest and the one infostealer logs feed directly. Patching internet-facing applications promptly closes the edge-device route. If you fix only two things after reading this, fix these two.
2. Defence evasion - blind the host, kill the backups
Once inside, SafePay moves to disable what is watching and to destroy the victim's ability to recover.
Reporting describes it disrupting endpoint security services, stopping and deleting backup software, and
clearing the Volume Shadow Copies that Windows would otherwise use to roll back - the
classic vssadmin-style destruction that turns "restore from yesterday" into "there is no
yesterday." The theme is the modern ransomware standard: use what is already on the host, switch off the
alarm, and remove the safety net before the noise starts.
This is where application control earns its keep: if unapproved executables cannot run, the security-killer never launches. It is also where EDR and the right alerts matter - a security service being stopped, tamper-protection events, or shadow copies being deleted should be a high-signal alarm, not a line nobody reads. And it is the strongest possible argument for backups that live offline or otherwise out of reach of the account that gets compromised: a backup the intruder can reach is a backup the intruder deletes.
3. Discovery and lateral movement - living off the land
SafePay leans on tools already trusted on the network to spread: PsExec and WinRM for remote execution, RDP for hands-on movement, and legitimate remote-management (RMM) software it controls so its traffic blends in with normal IT support. In a franchised real-estate group, RMM and shared admin accounts are common across offices - exactly the kind of trust relationship that lets a foothold in one branch become a problem for several.
The defensive answer is layered. Tiering administrative access so a compromised workstation account cannot pivot to domain-wide or tenant-wide control limits how far this stage travels. Application control again blocks unsanctioned remote-access software from installing. And baseline visibility turns "a new RMM agent appeared on the trust-account PC at 2am" into something you actually see.
4. Exfiltration - commodity tools, cloud destinations
Before encrypting, SafePay stages and steals data with off-the-shelf utilities: rclone to sync to cloud storage, WinRAR and 7-Zip to compress, FileZilla for FTP transfer, and in some incidents the RDP clipboard to pull files across an open session. None of these are malware in the signature sense, which is the point - they are normal admin tools used for an abnormal purpose.
This stage is hard to stop with prevention alone, which is why it is a detection-and-response problem. Large outbound transfers to consumer cloud-storage domains, rclone or FileZilla running on a server that has no business running them, and an archive tool spawning across many hosts are all detectable patterns if you are collecting endpoint and network telemetry. Application control helps here too: if rclone is not on the approved list, it does not run.
5. Impact - encryption and the leak threat
The finale drops the encryptor and a ransom note, with the leak-site threat as leverage. By this point the data is already gone, so encryption is the part you can most directly survive - if you prepared. Regular backups that you have actually tested restoring, kept offline or otherwise beyond the reach of the account that gets compromised, are what turn a ransom demand into a restore job. Backups you have never test-restored are a guess, not a control - and as the evasion stage showed, an online backup the intruder can reach is one they will delete first.
The chain, mapped to the Essential Eight
Read top to bottom, the intrusion is a series of links, and the Essential Eight breaks most of them more than once. That redundancy is the strategy: you are not betting everything on one control catching one step.
| Stage | What SafePay does | Essential Eight control that breaks it |
|---|---|---|
| Initial access | Exploit an unpatched edge device, or reuse valid / infostealer-harvested credentials over RDP/VPN | MFA; patch applications; patch operating systems; user application hardening |
| Defence evasion | Disable security services, delete backups and Volume Shadow Copies | Application control; restrict admin privileges (+ EDR & tamper protection); offline backups |
| Discovery & lateral movement | PsExec, WinRM, RDP, attacker-controlled RMM | Restrict admin privileges; application control; MFA on internal admin |
| Exfiltration | rclone, WinRAR, 7-Zip, FileZilla, RDP clipboard to cloud | Application control (+ egress monitoring & detection) |
| Impact | Encrypt and threaten to leak stolen records | Regular, tested, offline backups |
Notice that application control and restrict administrative privileges each show up at multiple stages. Those two are the harder Essential Eight controls to roll out, but the table is the argument for why they are worth the effort: they are not single-purpose, they tax the whole middle of the intrusion. The full method - what to do first, and how to mature each control - is laid out across the four stages of the guide.
If you only do three things
For an Australian real-estate SMB that wants the most risk reduction per dollar against this crew, in order:
- MFA on every internet-facing login - email, the property-management portal, VPN, RDP gateway, remote-access tools. This kills the fastest-growing initial-access route outright, including the infostealer-credential one, and is the cheapest control on the list. Start at Stage 1, step 2 and harden it in Stage 2.
- Patch your internet-facing devices on a real clock. The edge appliance with a known CVE is how a crew walks in without a password at all. Inventory what you expose, then keep it current - Stage 1, steps 1 and 3.
- Test a backup restore this quarter, and get a copy offline. Not "do we have backups" - actually restore one and time it, and make sure at least one copy is beyond the reach of a compromised admin account. This is the control that decides whether encryption ends your week or your business - Stage 1, step 4.
Honest limitations
The Essential Eight is a strong baseline, not a force field. It does little to recover data already exfiltrated, so against a double-extortion crew the controls that prevent the intrusion matter more than the one that recovers from encryption - restoring cleanly still means your clients' identity documents may be published. An attacker who phishes an MFA-fatigued user into approving a push, or who walks in on harvested credentials and stays low and slow, can still get a foothold; that is why detection and a written incident-response plan sit alongside the preventive controls rather than after them. And because reporting on a fast-moving crew is always partial, treat the stages here as the common shape, not a guarantee of what any one intrusion will look like. The point of mapping to the Essential Eight is not that any single control is sufficient - it is that the layers overlap, so a step that slips past one is caught by the next.
If you want help working out which of these controls you actually have versus which you only think you have, that gap assessment is exactly what the vCISO engagement is for - but the guide is free and stands on its own, so start there.
References
- Check Point - SafePay Ransomware: An Emerging Threat in 2025
- Bitdefender - SafePay Ransomware: How a Non-RaaS Group Executes Rapid-Fire Attacks
- ThreatLocker - SafePay Ransomware Explained: IOCs, TTPs, and Defense Strategies
- Acronis TRU - SafePay Ransomware: The Fast-Rising Threat Targeting MSPs
- Picus Security - Inside SafePay: Analyzing the New Centralized Ransomware Group
- ASD's ACSC - Essential Eight
- MITRE ATT&CK - T1486: Data Encrypted for Impact
Scope note. This is a defensive writeup built entirely from public reporting. It profiles a threat actor only to the depth a defender needs to detect and break the intrusion, names no individual victim, and uses no data sourced from extortion or leak sites or infostealer marketplaces. It contains no malware, exploit code, or operational tradecraft. UMBRASEC publishes defense, not offense.