IT security firm Check Point Software has published its report on the security landscape for May. A newly emerged ransomware group called SafePay has quickly become the most prominent ransomware threat. The healthcare and communications sectors are the most targeted industries, while FakeUpdates remains the most widespread malware family in Sweden.
SafePay was first identified in late 2024 and has expanded rapidly since. The group, which may have ties to Russia, employs a double-extortion model that both encrypts and exfiltrates data to increase pressure on victims. Unlike many ransomware actors that operate as Ransomware-as-a-Service (RaaS), SafePay appears to run with an internal team and a clear organizational structure. This approach has led to consistent and effective attacks against organizations of various sizes.
In May, authorities carried out an international operation targeting the malware distribution platform Lumma, involving Europol, the FBI and Microsoft. Thousands of domains were seized and parts of the platform’s infrastructure were temporarily disrupted. Although core servers were quickly restored in Russia, the takedown caused damage by eroding user trust and creating uncertainty among the platform’s users.
According to the report, the most affected sectors in Sweden were healthcare and communications, averaging 2,729 and 2,543 weekly attacks per organization respectively. This indicates sustained pressure on critical infrastructure. FakeUpdates remains the top malware threat in Sweden with a country impact of 5.16 percent, followed by AndroRAT at 3.07 percent and Remcos at 1.39 percent.
“The threat landscape continues to evolve rapidly,” says Mats Ekdahl, security expert at Check Point Software. “New actors like SafePay are emerging, large-scale actions are being taken against organized cybercrime, and established threats such as FakeUpdates persist. In these times, it is essential to keep systems up to date because changes happen so quickly.”
For more information, read Check Point Software’s blog: https://blog.checkpoint.com/research/may-2025-malware-spotlight-safepay-surges-to-the-forefront-of-cyber-threats/