Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SafePay ransomware. Show all posts
SafePay ransomware
Data Breach Data Leak Ransomware attack Ridgefield Public Schools SafePay ransomware

Ridgefield Public Schools Faces 2-day Deadline After Hackers Threaten to Leak 90 GB of Stolen Data

 

Ridgefield Public Schools in Connecticut was hit by a ransomware attack on July 24, 2025, with the SafePay ransomware gang now threatening to release 90 GB of stolen data within two days if ransom demands aren't met.

The school district's cybersecurity tools detected attempts to deploy an encryption malware, prompting them to immediately take their computer network offline to investigate. While RPS confirmed that a ransom was demanded, they haven't revealed the amount or whether it was paid. The fact that SafePay has now published the school district on its leak site suggests negotiations have failed. 

Impact on school operations 

System restoration is ongoing, with RPS hoping teachers would regain email access this week. The district serves approximately 4,500 students across nine schools (six elementary, two middle schools, and one high school). They are investigating potential data breaches and offering advice on data protection in case sensitive personal information was stolen.

Broader education sector threats 

This attack is part of a concerning trend - 26 confirmed ransomware attacks have hit the US education sector in 2025 so far, with 49 more unconfirmed. Recent victims include School District 5 of Lexington and Richland Counties (1.3 TB stolen), Franklin Pierce Schools ($400,000 ransom demand), and Manassas Park City Schools where Social Security numbers and financial data may have been compromised.

In 2024 alone, nearly 3 million records were breached across 83 attacks on US educational institutions, highlighting the severe ongoing impact on schools, colleges, and universities. 

About SafePay ransomware group 

SafePay first emerged in November 2024 and has since conducted 278 tracked attacks, with 35 confirmed by victims. The group uses LockBit-based ransomware and employs a double-extortion technique - demanding payment both to decrypt systems and delete stolen data. RPS is the sixth educational institution confirmed to have fallen victim to SafePay, following attacks on Harrison County Board of Education and a Czech school this year.
Read more »
SafePay ransomware
Cyber Attacks Cyber Outage Global IT Outage IT system Palo Alto Palo Alto Networks Ransomware attack Ransomwares SafePay ransomware

Ingram Micro Confirms SafePay Ransomware Attack and Global IT System Outage

 

Ingram Micro, one of the world’s largest IT distribution and services companies, has confirmed it was targeted in a ransomware attack by the SafePay group, causing major operational disruptions across its global network. The cyberattack, which began early on July 4, 2025, forced the company to take critical internal systems offline and suspend access to platforms such as its AI-powered Xvantage distribution system and the Impulse license provisioning platform. 

The attack came to light after employees discovered ransom notes on their devices. According to cybersecurity outlet BleepingComputer, the notes were linked to the SafePay ransomware operation—an increasingly active threat actor that has claimed over 220 victims since emerging in late 2024. Although the extent of data encryption remains unclear, sources suggest that the attackers likely accessed Ingram Micro’s network via compromised credentials on the company’s GlobalProtect VPN gateway. Initially, 

Ingram Micro refrained from publicly acknowledging the attack, stating only that it was experiencing “IT issues.” Employees in some regions were instructed to work from home, and the company advised against using the VPN service believed to be involved in the breach. 

On July 6, Ingram Micro officially confirmed the ransomware incident. In a statement, the company said it took immediate steps to secure affected systems, brought in cybersecurity experts to investigate, and notified law enforcement agencies. It also assured customers and partners that it was working urgently to restore operations and minimize further disruption. 

By July 8, the company had made significant progress in recovery. Subscription orders—including renewals and modifications—were once again being processed globally, with additional support for phone and email orders reinstated in key markets such as the UK, Germany, Brazil, India, and China. However, some hardware order functions remain limited. 

Palo Alto Network issued a clarification stating that none of its products were the source of the breach. The company emphasized that attackers likely exploited misconfigurations or stolen credentials, not any inherent flaws in the VPN software. 

This breach highlights the increasing sophistication of ransomware groups like SafePay and the risks faced by large IT infrastructure providers. Ingram Micro’s swift containment and recovery response may help mitigate long-term impacts, but the incident serves as a critical reminder of the importance of proactive cybersecurity measures, especially in environments reliant on remote access technologies.
Read more »
SafePay ransomware
advanced ransomware techniques Cyber Security Cyber Threats Data Encryption LockBit source code ransomware strain ransomware tactics SafePay ransomware

SafePay Ransomware: A New Threat with Advanced Techniques

 

In October 2024, cybersecurity experts at Huntress identified a previously undocumented ransomware strain named SafePay. This malware was deployed in two separate incidents and stands out for its distinctive features, including the use of .safepay as an encrypted file extension and a ransom note titled readme_safepay.txt. Despite its limited exposure, SafePay’s techniques signal a skilled operator leveraging advanced ransomware methods.

SafePay is linked to older ransomware families like LockBit, with Huntress analysts stating: “During our analysis of the ransomware binary, we began to notice a large number of similarities to the extensively analyzed LockBit samples from the end of 2022.” These parallels suggest that SafePay’s developers may have utilized leaked LockBit source code to create their malware, showcasing a blend of stealth and sophistication.

SafePay follows a systematic two-phase attack process:

  • Data Collection and Exfiltration: In one observed incident, attackers used WinRAR to archive data across multiple systems and exfiltrated it via FileZilla. Analysts remarked, “This activity looks like potential data exfiltration from the network—collected and archived with WinRAR and then possibly exfiltrated out using FTP.” Tools were uninstalled post-use to erase traces.
  • Encryption Deployment: Using Remote Desktop Protocol (RDP) access, attackers deployed ransomware scripts via PowerShell, targeting network shares. Commands such as disabling shadow copies and modifying boot configurations were executed to impede recovery. The ransom note ominously begins with: “Greetings! Your corporate network was attacked by SafePay team,” and outlines negotiation steps for data recovery.
The SafePay group operates on both the Tor network and the decentralized The Open Network (TON). Their leak site showcases victim organizations and stolen data directories. Huntress analysts discovered vulnerabilities in the site’s backend, exposing an Apache server status endpoint, offering insights into the group’s operations.

Although relatively new, SafePay’s connection to LockBit and its sophisticated techniques present significant risks across industries. As Huntress analysts concluded: “The threat actor was able to use valid credentials to access customer endpoints and was not observed enabling RDP, creating new user accounts, or establishing persistence.”

Read more »
Subscribe to: Comments (Atom)