Ransomware Group: SAFEPAY

VICTIM NAME: avgouleaschool[.]gr

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware attack targeted an educational institution based in Greece, specifically the domain avgouleaschool.gr. The attack was discovered on July 7, 2025, and the attack date is recorded as July 7, 2025, at 22:50 (UTC). The affected organization has approximately 26 employees and experienced a data breach involving multiple information-stealing malware variants, including Lumma, Raccoon, RedLine, and others. The leak appears to include a variety of sensitive data, although specific PII or confidential information has been redacted or is not explicitly detailed. The incident was publicly disclosed through a specific dark web claim URL and is associated with the “safepay” group.

A screenshot linked to the leak shows visual evidence of the compromised data or systems, illustrating internal documents or control panels associated with the attack. The leak involves the publication of stolen data, potentially including personal and institutional records stored by the school. Given the nature of the attack, the breach could impact students, staff, and external partners, highlighting the importance of cybersecurity measures in the education sector. The attack is part of a broader pattern of cybercriminal activity targeting institutions using multiple infostealers to compromise and exfiltrate data before ransom demands or public leaks. No explicit PII or specific breached files are displayed, adhering to responsible reporting standards.