Ransomware Group: SAFEPAY

VICTIM NAME: phillips66lubricants[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page centers on phillips66lubricants[.]com, identified as a U.S.-based energy sector entity that manufactures and supplies industrial and automotive lubricants. The posted content includes a concise business profile, noting a broad international footprint described as operating in more than 80 countries, and emphasizes the company’s research and development capacity along with proprietary blending and packaging capabilities. A blog excerpt embedded in the page mentions a revenue figure of about $20.4 million and frames the victim as part of a larger corporate ecosystem. The entry is associated with the threat group identified in the dataset and signals that an extortion-style narrative accompanies the profile, including a claim URL linked to the post.

The metadata indicates the post date is 2025-08-26 09:48:15.191516, which serves as the post date for the leak entry since no explicit compromise date is provided in the data. The page shows no screenshots or images (images_count is 0) and lists no downloadable content, attachments, or additional files. In line with typical ransomware leak pages, a claim URL is present, suggesting further information may be available through external notes or materials, though the dataset does not include the actual link. The content appears to be primarily textual, with the victim’s public-facing business background forming the core context of the page.

Because the provided data does not specify whether the attack resulted in encryption, data exfiltration, or both, there is no explicit statement of impact or ransom amount within the summary. The impact field is empty, and no ransom figure is listed. The combination of a claim URL and a background profile for phillips66lubricants[.]com aligns with common ransomware leak-page patterns, but without additional corroborating details, the exact nature of the incident remains unclear from this dataset. The victim operates in the energy sector as a lubricant manufacturer and supplier with a substantial global footprint, underscoring potential operational risk if follow-up disclosures occur.