Safepay’s Sudden Surge: Ransomware Group Claims Global Victims in Coordinated Attack Wave

It was just another post-holiday Monday - until the cyber underworld erupted. On December 29, 2025, the notorious Safepay ransomware group made a bold move, publishing a fresh list of victims from around the globe. From a Massachusetts lumber yard to a UK labor union, and a Spanish manufacturer to a Canadian metalworks, Safepay’s digital hit list reads like a who’s-who of unsuspecting organizations. The announcement, discovered by ransomware.live, signals not only the group’s technical reach but an escalating threat landscape for businesses large and small.

The Anatomy of a Ransomware Blitz

Ransomware attacks have evolved from isolated incidents into orchestrated campaigns. Safepay’s latest spree demonstrates this shift: in a single day, the gang claimed responsibility for compromising a diverse set of organizations, including:

• davidrosenbakerysupply.com – A bakery supplier, underscoring risks to food supply chains.
• moorelumber.com – A prominent US hardware retailer, highlighting threats to local commerce.
• usdaw.org.uk – The UK’s Union of Shop, Distributive and Allied Workers, raising concerns about attacks on labor infrastructure.
• precisionaluminum.ca and estrumar.es – Manufacturing targets in Canada and Spain.
• investigacionesmedicas.com – A medical research entity, a sector already battered by cybercrime.
• Others, including setex-textil.de and sproutnet.com, round out a truly international roster.

While details on the ransom demands or the scope of data breaches remain scarce, the pattern is clear: Safepay is leveraging its capabilities to exploit vulnerabilities wherever it finds them. The group’s modus operandi typically involves encrypting critical files, then threatening to leak sensitive data if demands aren’t met. This double-extortion tactic is now standard among sophisticated ransomware outfits.

What makes this wave remarkable is its diversity. Unlike attacks focused on a single industry or region, Safepay’s December campaign appears indiscriminate, suggesting either a broad phishing campaign or exploitation of shared software vulnerabilities. The inclusion of both high-profile and niche targets illustrates the group’s willingness to strike wherever defenses are weakest.

Ransomware.live, the disclosure platform, emphasizes that it does not host or distribute stolen data; it merely indexes what ransomware groups publish publicly. Still, the visibility provided by such platforms underscores the evolving “PR” strategies of cybercriminals, who use victim shaming as leverage.

A Wake-Up Call for Cyber Resilience

For the organizations listed, the coming days will be critical. Incident response teams must scramble to assess the damage, contain breaches, and communicate with stakeholders. For the wider public and business community, Safepay’s blitz is another urgent reminder: no sector is immune, and attackers are only getting bolder.

The digital frontline has shifted, and everyone from small suppliers to major unions is a potential target. The question now is, who will be next - and are we ready?

WIKICROOK

• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• Double: Double extortion is a cyberattack where criminals both encrypt and steal data, threatening to leak it unless the victim pays a ransom.
• Phishing Campaign: A phishing campaign is a mass attack using fake messages to trick users into revealing sensitive data or installing malware on their devices.
• Vulnerability: A vulnerability is a weakness in software or systems that attackers can exploit to gain unauthorized access, steal data, or cause harm.
• Incident Response: Incident response is the structured process organizations use to detect, contain, and recover from cyberattacks or security breaches, minimizing damage and downtime.