Ransomware Group: SAFEPAY

VICTIM NAME: servicedecorating[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware attack targeted an online platform operating within the consumer services industry. The incident was detected on May 21, 2025, indicating that the breach occurred on the same day, with the malicious activity confirmed shortly thereafter. According to available data, the attack involved the deployment of an infostealer component, which may have been used to extract sensitive data from the victim’s systems. The victim’s website, associated with the domain servicedecorating.com, is displayed in the leak, along with a screenshot illustrating some aspect of the compromised environment. The leak page provides a claim URL hosted on the dark web where further details and proof of data exfiltration are accessible, although specifics about the compromised data are not publicly disclosed.

The page highlights that no employee or user data was explicitly reported as compromised, suggesting the attack may have targeted specific internal or customer data or aimed primarily at system disruption. Security researchers and analysts are advised to monitor related threats and confirm whether any sensitive information has been leaked or exposed. The leak includes a link to a dark web claim URL and features visual evidence such as a screenshot that may depict internal documents or system interfaces. No explicit PII or sensitive personal data is publicly displayed in the leak, and the incident appears to be part of a broader campaign targeting service-oriented platforms. Additional research and monitoring are recommended to assess ongoing risk or impact.