Ransomware Group: SAFEPAY

VICTIM NAME: rhschool[.]org

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page for the victim entity, identified as rhschool.org, indicates that the organization operates within the education sector. The attack was reported on July 22, 2025, at approximately 19:25 UTC. The incident involves the release of potentially compromised data associated with the organization, suggesting a data breach targeted at this educational institution. The portal provides a link to a claim URL, hosted as a dark web onion site, where further information or negotiations may take place. A screenshot included on the page depicts visual evidence related to the breach, such as internal documents or data leaks, though specific contents are not detailed.

The breach appears to focus on information or data related to the organization’s operations, though no personal or sensitive PII are explicitly disclosed within the shared excerpt. The attack is attributed to a group identified as ‘safepay’. No additional details about affected users, employees, or third-party partners are provided, and no explicit mention of further data compromise is available. The leak page emphasizes that the organization belongs to the education activity sector and does not specify the country. The provided screenshot offers a visual context but no explicit content is described. Overall, the leak highlights a successful breach impacting the institution’s digital environment.