SafePay and DevMan * New fancy players, in 2025 With the requesting of money threats Germany is experiencing an upward trend in the amount of ransomware attacks. This wave has put a severe strain on businesses and critical infrastructure alike, sparking an urgent call for strengthened cybersecurity capabilities across the country.
SafePay, a relatively new ransomware gang that emerged in late 2024, has quickly established itself as one of the darlings of the realm of ransomware. SafePay accounted for 58 victims worldwide in May 2025, and particularly favored the US and Germany.
The gang, which uses a double-extortion model of taking and exfiltrating sensitive data before encrypting files and threatening public release if ransoms are not handed over, operates under the Cl0p affiliate and aggressive extortion framework. Access is usually achieved by exploiting compromised VPN or RDP connections, often using stolen credentials or password spraying tactics. SafePay has routinely harassed German healthcare and education entities.
Part of the cyber attacks upsurge rise is ELX, affiliate group of multiple Ransomware-as-a-Service (RaaS) gangs, who has just broaden their reach. May saw DevMan in action with 13 victims and an updated version of malware more frequently using it’s newly found Group Policy Objects (GPO) for the purpose of faster lateral movement across the networks.
The organization has been loud and proud about what it’s taken, even going so far as to claim it appropriated 170 GB of exfiltrated data in one recent instance, that it will sell to the highest bidder. While DevMan’s many multi-RaaS affiliations, such as those between Qilin, Apos, DragonForce and now Apos/RansomHub, highlight the fluid and interconnected nature of the cybercrime economy.
It’s a huge problem. In early 2025, reports described a spate of ransomware activities in excess of what had been seen in recent history, “as of early 2025,” there was a 126% increase of “public extortion instances over the previous year.”
It compares results of the cities of various countries and suggests that for reasons of vulnerability as a major European economy Germany is the second most targeted country after the US. Manufacturers, IT & healthcare are among some of the worst affected, with a heavy impact on operations and financial loss.
In order to counter this growing menace, the German government and several cyber security authorities, including the Federal Office for Information Security (BSI), are advocating a “defensive doctrine”.
These initiatives range from adoption of AI-based threat detection and n deployment of Zero-Trust Architecture to improved employee cybersecurity education. Additionally, the new EU Cyber Resilience Act looks to create closer real-time threat intelligence relationships among critical infrastructure operators.
The complex and fast-changing nature of ransomware today, now frequently driven by AI, however, remains a formidable challenge that demands constant vigilance and adjustment.
