Ransomware Group: SAFEPAY

VICTIM NAME: rivertoncabinets[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page lists rivertoncabinets[.]com as a victim, attributed to the Safepay ransomware group. The post names Riverton Cabinet Company as a U.S.-based custom cabinetry firm, with location details redacted for privacy. The page emphasizes the business’s craftsmanship and design-to-build approach, noting that cabinets are built and assembled by experienced artisans who work with clients from concept to completion. It highlights extensive product galleries—from kitchens and bathrooms to entertainment centers and custom bars—and stresses integrity and quality in every project. The post is dated August 26, 2025 (post date). There is no explicit compromise date provided in the available data, and the excerpt does not clearly state whether encryption, data exfiltration, or a ransom demand occurred. A claim URL is present on the leak page (defanged to avoid clickable links). The excerpt also mentions a revenue figure of $5.9 million, offering a sense of the company’s scale. The victim name is kept as rivertoncabinets[.]com, while location details have been redacted to remove PII.

There are no screenshots, images, or downloadable files shown on the leak page; the data indicates zero images and no downloads or linked documents. The content functions primarily as a corporate profile rather than an exhibit of leaked data. Given the absence of a stated compromise date and the lack of explicit encryption or data-loss claims in the accessible text, the post reads more like a victim-profile notice than a conventional data-leak artifact. The post is attributed to the Safepay group, and the defanged claim URL suggests a standard disclosure format, pending any additional artifacts or updates that may emerge.