Ransomware Group: SAFEPAY

VICTIM NAME: akd-ekbo[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page lists akd-ekbo[.]de as the victim, attributed to the Safepay ransomware group. The domain corresponds to the Amt für kirchliche Dienste (AKD), described on the page as the central continuing education institution for professional and volunteer staff of the Evangelical Church within the Berlin-Brandenburg-Schlesische Oberlausitz EKBO. The page presents AKD’s mission as provider of training and educational programs that support the church’s work in congregations, schools, and broader society, emphasizing spiritual development, professional skills, and civic engagement among its community. There is no explicit statement on encryption of systems or data exfiltration in the excerpt, and no ransom amount or demand is shown. The page includes a defanged claim URL, indicating the attackers have posted a ransom-related link, but the actual URL is not displayed here. No screenshots or downloadable content are indicated on the page (the data show zero images and no downloads).

From the body excerpt, akd-ekbo[.]de appears to host a blog post describing AKD’s role within EKBO as the central provider of continuing education for church staff. It notes that AKD offers training and educational programs to support the church’s mission in congregations, schools, and broader society, aiming to foster spiritual development, professional skills, and civic engagement among its community members. The post date is listed as 2025-08-26 12:44:33.322276, with the excerpt showing a nearby timestamp of 2025-08-26 11:44; there is no explicit compromise date provided, so the post date is taken as the event date for reporting. The leak provides no industry classification beyond the victim’s name, and there is no visible PII in the excerpt. The page shows no images or attachments, reinforcing that the content is descriptive rather than a catalog of leaked documents.