Ransomware Group: SAFEPAY

VICTIM NAME: distribution2[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The victim in this case is associated with the domain distribution2.com, which has been targeted in a known ransomware attack as of May 17, 2025. The attack was detected and publicly disclosed shortly thereafter, with the incident timestamp indicating the compromise occurred on the same day in the evening hours. The page includes a screenshot of the affected environment, providing a visual reference of the compromised system. There is a claim URL linked to an onion site where further data distribution or related information may be available. However, specific details about the nature of the data compromised or the attack’s impact are not explicitly disclosed in the available information. The attack group involved is identified as “safepay,” suggesting a connection to a known cyber threat actor.

The leak page does not specify the activity sector or business type of the victim. No information about the number of employees or external third-party involvement is provided, nor is there data indicating the extent of data exfiltration beyond the visual evidence available in the screenshot. The presence of a link to the onion claim site suggests that the attacker may be sharing further details or data for verification or extortion purposes. The image included shows visual evidence from the affected environment, but details about contents or potential sensitive information leaked remain unspecified. Overall, this incident appears to involve a typical ransomware extortion scenario with limited publicly available specifics.