Ransomware Group: SAFEPAY

VICTIM NAME: jphrs-waghaeusel[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page published under the safepay group lists jphrs-waghaeusel[.]de as the victim. The victim_name corresponds to Johann-Peter-Hebel Realschule, a German secondary school located in Waghäusel, Baden-Württemberg. The page presents the victim as a public educational institution and provides a profile of the school rather than a conventional IT security breach narrative. It describes the school’s curriculum as including mathematics, languages, science, and social studies, along with skills-based training to prepare students for vocational careers or higher education. The entry also notes support resources such as career counseling, social work, and extracurricular activities, and mentions the school’s recognition with the IHK Berufswahl-Siegel award for career readiness and student guidance. A revenue figure appears in the excerpt—“Revenue $5 Million”—though the surrounding context is not provided. The leak page also indicates that a claim URL is present, without displaying the actual link here.

The page contains no attached images or screenshots according to the data (images_count = 0). There is no explicit indication in the provided excerpt that devices were encrypted or that data was exfiltrated, and the fields for impact and ransom remain unspecified. The post date, listed as 2025-08-26 09:50:01.013762, should be treated as the page’s publication date. The content in the excerpt centers on a descriptive profile of the victim’s institution rather than a straightforward data-leak or encryption narrative, and it notes the presence of a claim URL while omitting any direct URL in this summary.

CTI takeaway: The leak page associates the jphrs-waghaeusel[.]de domain with a German educational institution and attributes the post to the safepay group. The indication of a claim URL suggests a potential exfiltration claim, but there is no explicit confirmation of encryption status, data volumes, or a ransom figure within the available excerpt. With zero images present, the page appears to emphasize a descriptive institutional profile over concrete breach metrics in this specific extract. Defenders should monitor for future updates from this victim and corroborate any external reports to determine whether actual data loss or encryption occurred, while maintaining standard security practices for the affected domain and its infrastructure.