Safepay Ransomware Strikes via Fortigate Zero-Days

The cybersecurity landscape has been rocked this week by the news that Ingram Micro has fallen victim to a ransomware attack. At the center of the storm is Safepay, an aggressive and fast-rising ransomware group that’s making waves — and victims — across the globe.

What sets Safepay apart is their sheer speed and surgical precision. Victim organizations often see not just their data encrypted, but also their most sensitive information exposed publicly, a double-extortion tactic used to increase pressure and push for faster ransom payments.

The Initial Vector: Fortigate VPN Zero-Days

Safepay’s recent success appears to hinge on a set of critical vulnerabilities in Fortigate VPN appliances. These zero-days have proven difficult to patch and even harder to detect post-exploitation. Once a Fortigate device is compromised, attackers gain deep and privileged access to internal networks, bypassing perimeter defenses entirely.

As a result, once they’re in — you’re in trouble. The attackers can quickly escalate their privileges and strike at the core of your infrastructure.

The Payload: VGOD.exe and locker.dll

After gaining access, Safepay deploys a malicious executable called Vgod.exe. Embedded within this binary is locker.dll, the core ransomware component responsible for encrypting all reachable devices on the network.

Thanks to their deep-level access, Safepay leverages Group Policy Objects (GPOs) to silently and efficiently deploy the ransomware across the environment. This makes detection and containment extremely difficult — and underscores the importance of regularly auditing your GPOs.

Recommendation: Monitor Your Default Domain Policy

A critical defense tactic is to regularly inspect your Default Domain Policy (DDP) and other critical GPOs for unauthorized changes. Track modification timestamps and establish internal change control protocols so that every change is logged and reviewed.

If your domain controller’s policies suddenly change — especially outside of a planned maintenance window — treat it as a red flag and investigate immediately.

Indicators of Compromise (IOCs)

Below is a list of known IOCs tied to Safepay’s latest campaigns. Add these to your threat intelligence feeds and block lists immediately:

IP Addresses:

File Hash (SHA-256):

Note: The hash for locker.dll is not yet available.

Final Thoughts

The rise of Safepay highlights the critical need for zero-trust principles, regular patching (especially edge devices), and defensive auditing of privileged access tools like GPOs. Their method of weaponizing Fortigate VPN vulnerabilities is a stark reminder: your VPN is not just an entry point — it can be your Achilles heel.

Stay vigilant, monitor your domain policies, and harden your perimeter — before someone else does it for you.