META DESCRIPTION: June 2025's cybersecurity landscape reveals SafePay ransomware's dominance, claiming record victims in May while emerging threats like DevMan signal ongoing evolution in the ransomware ecosystem.

The Ransomware Renaissance: June's Cyber Threat Intelligence Roundup

A deep dive into the evolving threat landscape that's reshaping cybersecurity defenses this month

The first week of June 2025 has delivered a sobering reminder that the cybersecurity arms race shows no signs of slowing down. From sophisticated ransomware operations to emerging threat actors, cybercriminals are deploying increasingly advanced tactics while security researchers race to stay ahead. This week's threat intelligence reports reveal not just individual attacks, but broader patterns that signal where the digital battlefield is heading next.

The SafePay Surge: A New Ransomware Powerhouse Emerges

The cybersecurity community is closely monitoring SafePay, a relatively new ransomware group that has rapidly expanded its victim count in recent weeks. Unlike many competitors in the ransomware ecosystem, SafePay claims not to offer Ransomware-as-a-Service (RaaS) capabilities to affiliates[2].

What makes SafePay particularly concerning is its technical approach and rapid rise to prominence. After emerging in fall 2024, SafePay claimed 70 victims in May 2025 alone, more than doubling their previous monthly record and surpassing established groups like Qilin to take the top spot among ransomware groups[1][5]. Since their emergence, SafePay has claimed more than 200 victims in total[1].

The group's technical profile shows sophistication, with their ransomware featuring code elements found in LockBit 3.0, though there are no other known links between the groups beyond this code reuse[1]. A notable characteristic is SafePay's Cyrillic kill switch functionality—if it identifies a Cyrillic language keyboard, it will not execute the ransomware, suggesting potential Russian affiliation[1].

SafePay has demonstrated a preference for targets in the U.S. and Germany, with German attacks particularly above average[2]. While attacking various industries, Healthcare and Education sectors have been targeted above the mean, while Government, Finance, and IT have seen fewer attacks[2].

DevMan: An Emerging Threat to Watch

Security researchers have identified DevMan as another emerging ransomware threat worth monitoring. This threat actor claimed 13 victims in May, placing it just behind the leading ransomware groups[2].

DevMan has been operating as an affiliate of several RaaS groups but has recently been observed expanding beyond affiliate activity[2]. In a recent attack on media organizations in Thailand, the group encrypted systems and NAS devices using their own customized encryptor, applying the ".devman1" file extension[2]. DevMan claims to have upgraded their malware for faster lateral movement, implemented via Group Policy Object (GPO)[2].

The Shifting Ransomware Landscape

The ransomware ecosystem continues to evolve rapidly. After RansomHub—previously the top ransomware group for over a year—went offline in late March (possibly due to an attack by rival DragonForce), new leaders have continued to emerge[5].

Overall, ransomware groups claimed 384 victims in May, marking the third straight monthly decline in claimed victims[5]. However, this doesn't necessarily indicate a reduction in threat, as Check Point's Q1 2025 Global Cyber Attack Report shows a 126% increase in ransomware attacks compared to the previous year[3].

SafePay's technical operations involve leveraging PowerShell scripts for reconnaissance and post-exploitation tasks, along with Living Off the Land tactics to inhibit system recovery methods and disable Windows Defender[1]. Indicators of data exfiltration are tied to repeatedly observed activities involving WinRAR and the use of command line tools or, in some cases, FTP[1].

For initial access, SafePay has been observed exploiting VPN and RDP connections, often using stolen credentials or password spraying attacks[2]. The group employs double-extortion techniques, exfiltrating data before encrypting it and threatening to leak stolen information unless the ransom is paid[2].

Conclusion: Vigilance in an Evolving Landscape

The first half of June 2025 serves as a reminder that cybersecurity is never static. Organizations must remain vigilant not just against known threats but also emerging actors and techniques. The ransomware ecosystem in particular continues to demonstrate remarkable resilience and adaptability.

As we move deeper into June, security teams should prioritize monitoring for indicators of compromise associated with SafePay and other active ransomware groups, implement robust backup strategies, and ensure that remote access tools are properly secured and monitored.

The cyber threat landscape may be constantly changing, but one thing remains constant: the need for proactive security measures and continuous threat intelligence monitoring to stay ahead of evolving threats.

REFERENCES

[1] Bitdefender. (2025, June 10). Bitdefender Threat Debrief | June 2025. https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-june-2025

[2] Cyble. (2025, June). Top Ransomware Groups of May 2025 SafePay and DevMan Rise. https://cyble.com/blog/top-ransomware-groups-may-2025-safepay-devman-rise/

[3] Check Point. (2025). SafePay Ransomware: An Emerging Threat in 2025. https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/safepay-ransomware/

[4] Check Point. (2025, June 9). May 2025 Malware Spotlight: SafePay Surges to the Forefront of Cyber Threats. https://blog.checkpoint.com/research/may-2025-malware-spotlight-safepay-surges-to-the-forefront-of-cyber-threats/

[5] The Cyber Express. (2025, June 3). SafePay, DevMan Emerge as Major Ransomware Threats. https://thecyberexpress.com/safepay-devman-emerging-ransomware-threats/