Ransomware Group: SAFEPAY

VICTIM NAME: paynecountyok[.]gov

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to a notable compromise involving a public sector entity in the United States. The affected organization is the official government website of Payne County, Oklahoma. The attack was publicly disclosed on May 29, 2025, with the attackers claiming responsibility through an associated dark web claim URL. The breach is linked to a group identified as “safepay,” which appears to operate within the ransomware sphere. The incident involved data leaks or potential data exfiltration, although specific details about the compromised information are not disclosed. A screenshot of the victim’s webpage is provided, highlighting the nature of the affected site. No specific details about the contents of the leak or the extent of data exposure are available, but the presence of a claim URL indicates the victim’s acknowledgment of the incident.

The attack targeted a government domain involved in public administration activities, emphasizing the threat posed to government infrastructure by ransomware groups. The breach’s timing suggests it was a recent incident at the time of discovery, and it is part of a broader pattern of cyberattacks against public sector institutions. The leak page includes references to potential data theft or system compromise, but no sensitive PII or detailed data elements are publicly described. The rearview provided by the screenshot reveals aspects of the affected webpage’s interface, which appears to be a standard government portal. The attacker may have exploited vulnerabilities to gain access, but no specific attack vectors are detailed in the available information. This incident underscores the ongoing cybersecurity challenges faced by public institutions, especially those managing critical infrastructure and citizen data.