Ransomware Group: SAFEPAY

VICTIM NAME: extremefire[.]com[.]au

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to an Australian fire protection company operating under the domain extremefire.com.au. The incident was discovered on April 16, 2025, and the attack’s compromise date is listed as April 16, 2025, indicating a recent cybersecurity breach. This organization specializes in designing, installing, and maintaining fire safety systems, including sprinkler systems, extinguishers, and alarm solutions. The leak does not specify any compromised internal data, but the presence of a screenshot suggests that some internal information or documentation may have been exposed. No sensitive personal or employee data appears to have been impacted based on available information. The attack is associated with a group identified as ‘safepay’, which is known for targeting organizations with ransomware tactics.

The leak involves the publication of certain data or information, with the attacker providing a claim URL on a dark web onion site. An image available in the leak shows a screenshot potentially of internal documents or system layouts, which could reveal operational details. The victim appears to operate within the fire safety industry in Australia, and the attack may impact their internal operations or client data. No specific details of the leaked data, such as customer information or financial data, are provided. The presence of download links or additional leaks is not confirmed beyond the mention of the claim URL. Overall, the breach highlights the importance of cybersecurity measures for critical infrastructure providers.