SafePay, a relatively new, rapidly growing ransomware group observed in November 2024, has overtaken other threats this month to emerge as the most prevalent actor on the top ransomware group list, according to Check Point Software Technologies’ Global Threat Index for May 2025, an AI-powered, cloud-delivered cybersecurity platform provider.
The group operates a double extortion model—encrypting victims’ files while exfiltrating sensitive data to increase pressure for payment. Despite not operating as a Ransomware-as-a-Service (RaaS), SafePay has listed an unusually high number of victims. Its centralized, internally driven structure leads to consistent tactics, techniques, and procedures (TTPs) and focused targeting.
Africa’s telecommunications, government, and financial services sectors are among the most targeted, while the education sector continues to be the most targeted industry in May 2025. These industries remain prime targets due to their critical infrastructure and large user bases, making them vulnerable to a wide range of cyberattacks.
7 African countries are among the Top 20 countries most targeted by malware practitioners. Ethiopia continues to occupy the number 1 spot as the most targeted country of the 110 i surveyed. Others on the continent include Nigeria, which ranks 5th most targeted with a Normalized Risk Index of 77.2%, followed by Zimbabwe (7th) with a Normalized Risk Index of 73.2%. Angola and Mozambique are 10th and 11th, respectively, with a Normalized Risk Index of 64.1% and 64%. Uganda and Ghana were ranked 13th and 20th, respectively, with Normalized Risk Indexes of 62 and 57.7. Kenya occupied 21st position with a Normalized Risk Index of 57.7%. South Africa ranked 47th, moving downwards from 53 in April.
As FakeUpdates maintains its position as the most widespread malware, new actors like SafePay and the ongoing operations against Lumma infostealer demonstrate the evolving complexity of cyberattacks.
Lotem Finkelstein, Director of Threat Intelligence at Check Point Software, stated, “May’s Global Threat Index data underscores the growing sophistication of cybercriminal tactics. With the rise of groups like SafePay and the persistent threat of FakeUpdates, organizations must adopt proactive, multi-layered security measures. As cyber threats become more advanced, it’s crucial to stay ahead of evolving attacks with real-time threat intelligence and robust defenses.”
Organizations need to adopt proactive, layered security measures to defend against these increasingly sophisticated threats.
