Ransomware Group: SAFEPAY

VICTIM NAME: childrenscouncil[.]org

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page targets the US-based nonprofit operating under the domain childrenscouncil[.]org (defanged as childrenscouncil[.]org). Metadata from the Ransomware[.]live feed attributes the post to the threat actor group safepay. The victim is identified as an Education sector organization based in the United States, specifically the Children’s Council of San Francisco. The page’s content presents a profile of the organization rather than detailing an explicit encryption event or data exfiltration in the visible excerpt. The post date is listed as August 19, 2025, with a blog-style entry on the domain that includes a reference to its public-facing description. The excerpt notes the organization has over 50 years of experience advocating for and facilitating high-quality early child care and education across the city.

According to the leak content, the organization operates with an annual budget around $250 million, supported by subsidies, stipends, and educator supports, and it employs more than 160 staff who assist families in navigating care options, securing financial aid, and accessing resources. The material also indicates that the organization provides support to home-based educators through training and tools intended to enhance quality of care. In the excerpt, the page lists revenue of about $55.4 million, adding context to the organization’s size and scope. There is a claim URL present on the page, but the excerpt itself focuses on the victim’s public profile rather than specific data—nor does it provide a ransom amount or encryption status in the visible text. No screenshots, images, downloads, or linked files are present according to the provided data.

Overall, the post under safepay’s label presents a formal portrait of the Children’s Council of San Francisco—the victim name to be highlighted—within the Education sector in the United States. The absence of explicit encryption or data-leak details in the visible excerpt, combined with the lack of downloadable content or images, suggests that this particular page emphasizes organizational background rather than a described exfiltration event. The post date is August 19, 2025, and the presence of a defanged domain reference aligns with a ransomware leak publication pattern, even though the specific compromised data or ransom figure is not disclosed in the available text.