Ransomware Group: SAFEPAY

VICTIM NAME: batemangroundworks[.]co[.]uk

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page associated with the victim domain batemangroundworks[.]co[.]uk is attributed to the SafePay ransomware group. The post is dated August 19, 2025, and the page presents the incident in the context of a construction-sector contractor operating from Norwich, East Anglia since 1997. A claim URL is indicated on the page, consistent with extortion-style leak disclosures typical of ransomware operators. The available text does not specify whether files were encrypted or provide a disclosed ransom amount. There are no downloadable files or images listed on the leak page.

The accompanying body excerpt describes batemangroundworks[.]co[.]uk as a Norwich-based civil engineering and groundworks contractor with a long operational history. It highlights core services such as earthworks, highways, Sustainable Urban Drainage Systems (SUDS), wet-well pumping stations, and utility installations, and notes a focus on safety, sustainability, apprenticeships, community well-being, and environmental initiatives. A revenue figure around $20.8 million is cited, illustrating the company’s scale within the UK construction sector. The page’s language is English and the visible content centers on presenting the victim’s corporate profile rather than technical breach details or data samples; no explicit ransom figure appears in the accessible material. The metadata identifies the threat actor as SafePay and confirms the presence of a claim URL, aligning with typical ransomware leak-page behavior.

Overall, the leak post positions batemangroundworks[.]co[.]uk as the victim of a ransomware incident with SafePay as the actor. There are no images or downloadable content on the page, which reinforces that the visible material is focused on background information about the company rather than a data dump. The post date provided in the metadata is August 19, 2025; no separate compromise date is listed in the available fields, so the date is treated as the leak page’s publication date. The content remains centered on the victim’s identity and corporate profile rather than providing technical breach specifics.