[SAFEPAY] – Ransomware Victim: constructiondprovost[.]com
NOTE: No files or stolen information are exfiltrated, downloaded, taken, hosted, seen, reposted, or disclosed by RedPacket Security. Any legal issues relating to the content should be directed at the attackers, not RedPacket Security. This blog is an editorial notice informing that a company has fallen victim to a ransomware attack. RedPacket Security is not affiliated with any ransomware threat actors or groups and will not host infringing content. The information on this page is automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.
AI Generated Summary of the Ransomware Leak Page
On October 24, 2025, a ransomware leak page attributed to the group safepay identified the victim as constructiondprovost.com. The post presents the incident as a data-leak event rather than a pure encryption-only compromise, and there is no ransom amount shown in the provided excerpt. A claim URL is indicated on the page, suggesting attackers intend readers to verify or engage with their claims. The page does not display any screenshots, images, or downloadable content (no images or downloads are present in the provided data). The timestamp on the leak page aligns with the post date, which is recorded as 2025-10-24 21:24:33.628747.
Victim profile: The body excerpt describes constructiondprovost.com as a regional general contracting firm based in Mont-Tremblant, Canada, specializing in high-quality residential and light-commercial construction, renovations, and chalet projects. It emphasizes turnkey project delivery through an in-house crew of carpenters, joiners, and finishers to control quality and timelines. The portfolio reportedly features timber, stone, and custom interior work, with a client base that values bespoke craftsmanship and local knowledge of seasonal building conditions in the Laurentians. Project sizes range from smaller renovations to full chalet builds. Described as privately held with a modest staff and local focus, the firm is cited as generating roughly $5 million in annual revenue, with no publicly audited accounts located.
Context and CTI notes: The leak page relies on the victim’s public-facing profile to establish identity and business scope rather than presenting encryption-specific details. The absence of any images or attachments, combined with no explicit ransom figure in the provided excerpt, limits visibility into the exact nature of the compromise beyond its data-leak posture. The presence of a claim URL indicates an interface for verifying or engaging with the attackers’ claims. The incident is centered in Canada and within the Construction industry, with the victim name retained as constructiondprovost.com for clarity and correlation with the leak page.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
