Ransomware Group: SAFEPAY

VICTIM NAME: listgrove[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On August 19, 2025, a post on a ransomware leak site references the victim domain listgrove[.]com, identified in the data as a UK-based business services firm focused on recruitment and HR consultancy. The post is attributed to the group safepay and characterizes the incident as a data-leak rather than a full encryption event. The attackers claim data exfiltration has occurred and indicate stolen information may be published or made available for download; a claim URL is present on the page but has been defanged to reduce exposure. The post date is the date of publication, and there is no explicit compromise date or ransom amount listed in the provided records. The page shows no images or downloadable files, consistent with a text-only leak entry.

The leak page includes a short excerpt from the victim’s site describing the business as an established UK-based recruitment and HR consultancy, founded in 1975, with activity spanning sectors such as plastics, packaging, specialty chemicals, energy, biopolymers, life sciences, and recycling. The excerpt notes a historical revenue figure around $7.5 million and highlights capabilities like a multilingual team and a global talent network. PII such as emails, phone numbers, and physical addresses is redacted in the leak content, while the victim name remains the primary identifier. In summary, the post presents a conventional data-leak narrative associated with safepay, without an independently verified encryption event or disclosed ransom amount in the provided data.