Ransomware Group: SAFEPAY

VICTIM NAME: sb-p[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to the victim website sb-p.de, which is linked to the group known as safepay. The attack date is recorded as May 21, 2025, with the incident occurring shortly before the page’s discovery. The leak includes a screenshot capturing images of the victim’s online presence, but no detailed information about specific data exfiltrated or compromised has been publicly disclosed. The page references a claim URL on the dark web, suggesting that the attackers have claimed responsibility and may be offering access to stolen data or threatening further action. The victim appears to be in the country of Germany, though activity details are not specified, and the industry type remains unavailable.

Among the available data, there is minimal evidence of sensitive information or specific data leaks, indicating either that no personally identifiable information (PII) has been publicly leaked or that details have been withheld. The screenshot provided hints at potential internal or contextual visuals, but without explicit content description, it remains unclear if any revealing documents or images are included. The attack, attributed to the safepay group, suggests a targeted incident that could involve data theft or extortion tactics common in ransomware campaigns. The leak and associated claim URL are accessible via the Tor network, emphasizing the covert nature of the operation. Additional details about the extent of the breach or data compromised are not currently available.