Ransomware Group: SAFEPAY

VICTIM NAME: universityacademy[.]org

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to the educational institution identified by the domain name universityacademy.org. The attack was detected on May 31, 2025, with the breach occurring shortly before the discovery date. The group responsible for the attack is known as “safepay,” which has a history of targeting various sectors. The breach involved the deployment of multiple info-stealer malware variants, including Lumma, RedLine, and Vidar, aimed at extracting sensitive data. The incident was publicly disclosed through a dedicated portal, which includes a screenshot of the leak site displaying internal information. This breach underscores vulnerabilities in the institution’s cybersecurity defenses and highlights ongoing threats faced by education sector targets. There is no evidence of personal or employee data being compromised, but the leak indicates potential exposure of organizational data. Download links or data files related to the breach have been indicated but are not included here to protect sensitive information.

The page includes visual evidence such as screenshots showing leaked data, likely containing internal documents or organizational insights. The attack was carried out by a group specializing in information theft, as reflected in the use of multiple info-stealer malware types. The breach affected no reported employees or third-party entities directly associated with the institution, but the incident damages the institution’s privacy and operational security. The attack may have disrupted educational activities or compromised institutional communications. No further sensitive or personally identifiable information is outlined in the leak summary, and the incident remains a reminder of the importance of robust cybersecurity measures for educational establishments.