Full Report
SafePay’s journey to the top of the ransomware leaderboard was a quick one. The SafePay ransomware group first emerged in the fall of 2024, and last month took the top spot among ransomware groups in the number of victims claimed on their data leak site, according to a Cyble blog post published today. Cyble reported that ransomware groups claimed 384 victims in May, a number that may rise somewhat as all data is processed. That’s the third straight monthly decline for claimed victims, as new leaders continue to emerge after RansomHub – the top ransomware group for more than a year – went offline in late March in a possible attack by rival DragonForce. Cyble also looked at DevMan, another emerging ransomware threat, and other ransomware developments that occurred in May. Top Ransomware Groups and Threats SafePay claimed 58 victims in May to take over the top spot from April leader Qilin, which came in second with 54 victims. Play, Akira and NightSpire rounded out the top five ransomware groups. The U.S. was once again the most targeted country, with 181 victims (charts below from Cyble). [caption id="attachment_103123" align="aligncenter" width="936"] Top ransomware groups May 2025[/caption] [caption id="attachment_103124" align="aligncenter" width="936"] Ransomware attacks by country May 2025[/caption] Professional Services and Construction were the most attacked sectors by all ransomware groups, totaling 101 attacks, followed by Manufacturing, Government, Healthcare, Finance, IT, Transportation, Consumer Goods and Education, Cyble said. SafePay has claimed 198 victims to date. The group’s previous monthly high was 43 victims in March, but May was the first month that SafePay led all ransomware groups. Cyble said SafePay typically obtains initial access to victim environments through VPN and RDP connections, often using stolen credentials or password spraying attacks. The group uses double-extortion techniques – encrypting and threatening to publicly release data – and claims not to offer Ransomware-as-a-Service (RaaS), unlike other ransomware groups that rely on affiliates to spread their malware. Major targets for SafePay include the U.S. and Germany, as well as the Professional Services, Construction, Healthcare, Education and Manufacturing sectors. DevMan, meanwhile, mainly operates as an affiliate of several RaaS groups, but was recently observed deploying its own ransomware that the group claims is capable of faster lateral movement and is implemented via Group Policy Object (GPO). DevMan claimed 13 victims in May, placing it just outside the top five ransomware groups, “and making it one to watch,” Cyble said. As an affiliate, DevMan has worked with Qilin, Apos, DragonForce RaaS and RansomHub. In another significant ransomware development in May, the leak of the VanHelsing Ransomware-as-a-Service (RaaS) source code raises “concerns of potential copycat operations, as observed following the leaks of LockBit and Babuk,” Cyble said. “The widespread availability of VanHelsing’s source code may accelerate the emergence of new ransomware variants in the coming weeks." Cyble also detailed three new ransomware groups, as well as 17 ransomware attacks claimed by ransomware groups, many of which could have significant impact on the software supply chain, critical infrastructure and even military targets. Protecting Against Ransomware Cyble said the rise of new ransomware groups to take the place of former leaders “underscores the ever-present threat of ransomware and highlights the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats.” Those cybersecurity best practices include a risk-based vulnerability management program; protecting exposed assets; segmenting networks and critical assets; creating ransomware-resistant backups; applying Zero Trust principles; practicing proper configuration and secrets protection; hardening endpoints and infrastructure; and monitoring networks, endpoints and cloud environments.
Analysis Summary
# Tool/Technique: SafePay Ransomware
## Overview
SafePay is identified as one of the major emerging ransomware threats in the current threat landscape.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Not explicitly specified, but ransomware typically targets Windows environments.
- Capabilities: Encrypts victims' data and deploys ransomware operations.
- First Seen: Mentioned as an emerging threat as of June 2025.
## MITRE ATT&CK Mapping
*Note: Specific TTPs not detailed in the context, mapping is inferred based on the nature of ransomware.*
- TA0011 - Collection
- T1005 - Data from Local System
- TA0020 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Deployment as a ransomware threat.
- Extortion through data encryption.
### Advanced Features
- Not detailed in the provided context.
## Indicators of Compromise
- File Hashes: [None provided]
- File Names: [None provided]
- Registry Keys: [None provided]
- Network Indicators: [None provided]
- Behavioral Indicators: [None provided]
## Associated Threat Actors
- Threat actors operating the SafePay ransomware campaign.
## Detection Methods
- [No specific detection methods provided in the context.]
## Mitigation Strategies
- Implementing a risk-based vulnerability management program.
- Segmenting networks and critical assets.
- Creating ransomware-resistant backups.
- Applying Zero Trust principles.
- Hardening endpoints and infrastructure.
- Monitoring networks, endpoints, and cloud environments.
## Related Tools/Techniques
- DevMan Ransomware (mentioned alongside SafePay as a major emerging threat)
- VanHelsing Ransomware (Source code leak raises concerns of copycats)
- LockBit (Previous ransomware with leaked source code comparison)
- Babuk (Previous ransomware with leaked source code comparison)
***
# Tool/Technique: DevMan Ransomware
## Overview
DevMan is highlighted as a major emerging ransomware threat, showing significant activity (13 victims in May) and noted for its use of Group Policy Objects (GPO) for rapid lateral movement.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Implied Windows environment due to GPO usage.
- Capabilities: Encryption, data exfiltration (typical of modern RaaS), and high-speed lateral movement leveraging GPO.
- First Seen: Gained prominence leading up to June 2025.
## MITRE ATT&CK Mapping
- TA0008 - Lateral Movement
- T1021 - Remote Services (Inferred, as GPO is used to push changes)
- TA0011 - Collection
- T1005 - Data from Local System
- TA0020 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Data encryption leveraged for extortion.
- Claims significant victim count (13 victims in May).
### Advanced Features
- **Lateral Movement via GPO:** Implemented via Group Policy Object (GPO) enabling faster lateral movement across the compromised network.
## Indicators of Compromise
- File Hashes: [None provided]
- File Names: [None provided]
- Registry Keys: [None provided]
- Network Indicators: [None provided]
- Behavioral Indicators: Usage of GPO for network propagation/configuration changes.
## Associated Threat Actors
- DevMan ransomware operators/affiliates.
- Affiliations noted with: Qilin, Apos, DragonForce RaaS, and RansomHub.
## Detection Methods
- [No specific detection methods provided in the context.]
## Mitigation Strategies
- Implementing robust network segmentation to limit the impact of GPO-based lateral movement.
- Risk-based vulnerability management.
- Hardening endpoints and infrastructure.
- Applying Zero Trust principles to authenticate changes, even those originating from trusted sources like GPO processing points.
## Related Tools/Techniques
- SafePay Ransomware (mentioned alongside DevMan)
- Qilin, Apos, DragonForce RaaS, RansomHub (Affiliated groups)
***
# Technique/Event: Leak of VanHelsing RaaS Source Code
## Overview
The source code for the VanHelsing Ransomware-as-a-Service (RaaS) platform has been leaked, raising concerns among security researchers about an imminent surge in new ransomware variants.
## Technical Details
- Type: Event/Activity (Source Code Leak)
- Platform: Not applicable (Relates to source code distribution)
- Capabilities: Provides the means for threat actors to create "copycat operations" similar to previous incidents involving LockBit and Babuk leaks.
- First Seen: As of the report date (June 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access (New variants resulting from leaks could use similar initial access vectors)
- TA0004 - Privilege Escalation
## Functionality
### Core Capabilities
- Accelerating the emergence of new ransomware variants due to the public availability of functional code.
### Advanced Features
- Potential for rapid modification and re-branding by various smaller threat groups.
## Indicators of Compromise
- [No specific initial indicators provided, but derived IoCs would depend on new derived variants.]
## Associated Threat Actors
- Threat actors who will utilize the leaked VanHelsing source code to launch new campaigns.
- Groups previously associated with LockBit and Babuk leak fallout.
## Detection Methods
- Monitoring for new, unidentified ransomware strains that share operational or structural similarities with VanHelsing.
## Mitigation Strategies
- Proactive threat hunting for newly emerging ransomware families.
- Staying updated on ransomware source code leaks.
- Enhancing behavioral monitoring to catch potential copycat functionalities.
## Related Tools/Techniques
- LockBit (Referenced due to its source code leak precedent)
- Babuk (Referenced due to its source code leak precedent)