Ransomware Group: SAFEPAY

VICTIM NAME: prais[.]ro

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to a Romanian digital platform, identified as “prais.ro”. This platform provides a broad range of digital services, including web development, e-commerce solutions, and mobile app creation. The site is designed to serve businesses of various sizes aiming to strengthen their online presence and attract more customers through customized digital strategies. The attack was discovered on May 17, 2025, and the compromise date aligns with the discovery date, indicating a recent breach. The leak suggests that the victim’s infrastructure was impacted by a ransomware group identified as “safepay”. The page includes a screenshot showing the affected site’s interface, giving an overview of the compromised platform. Details about specific data exfiltrated or available for download remain unspecified, but the leak indicates possible data exposure related to the victim’s digital assets.

In addition to the technical details, the leak page features a claim URL hosted on the dark web, through which alleged attackers have made their data accessible. The involved group, “safepay,” appears to have targeted this platform’s digital infrastructure. The description suggests that the breach may include sensitive business information, though no explicit PII or client data are disclosed in publicly available summaries. The presence of a screen capture illustrates the attacker’s efforts to showcase their access or stolen data. The attack’s impact on the victim’s operations and the nature of the compromised information are not specified, but the incident underscores the ongoing threat landscape targeting digital service providers, even those specializing in technological solutions.