SafePay ransomware names a German airport and charity in leak site surge

The SafePay ransomware operation has posted a cluster of German organizations to its dark web leak site over the past week, including a regional airport, a Catholic charity and several construction and services firms. The listings are the group's own extortion claims and have not been independently confirmed, but the concentration of German victims in a single burst marks one of SafePay's busiest runs against the country this year.

On July 6 alone, SafePay named eight German entities on its leak site. Among the most recognizable are Frankfurt Hahn Airport, a regional airport in western Germany, and Caritas Koblenz, a local arm of the Catholic welfare organization Caritas that runs social and care services. The crew also listed a UK victim, St Edward's Catholic First School, and two US firms, capping an operation that leaned heavily toward German small and mid sized businesses.

What we know

SafePay, tracked by IntelFusions under the Atomic Fusion name Burr Flux, has been one of the higher volume ransomware brands of the past year, favoring small and mid market organizations that often lack mature backups or incident response. Its leak site follows the now standard double extortion playbook: steal data first, encrypt second, then publish a countdown and sample files to pressure victims into paying. Appearing on the site means the group claims to hold stolen data, not that any named victim has confirmed a breach.

The week's German targets span sectors that keep smaller institutions in the crosshairs: construction, business services, social housing and care providers, and healthcare via the Caritas listing. The airport listing stands out because transport hubs, even smaller regional ones, sit close to critical infrastructure and can carry outsized disruption and reputational stakes.

Why it matters

A tight geographic cluster like this is a useful early warning signal. When a single crew posts nine victims from one country inside a week, it often reflects a shared initial access vector, a specific access broker, or a burst of exploitation against a common product or managed service provider in that market. German organizations, and the IT providers that serve them, should treat the surge as a prompt to check their exposure. For the wider pattern of European public sector and healthcare targeting, see our coverage of the CMD crew's hits on a Norwegian municipality and healthcare firms, and the broader leak site wave against US healthcare providers over the July 4 weekend.

What you should do

There is no single patch here, because leak site listings do not disclose the intrusion path. The durable defenses are the usual ones, applied seriously: enforce phishing resistant multi factor authentication on email, VPN and remote access; keep offline, tested backups; patch internet facing appliances and remote access gateways promptly; and monitor for the data staging and exfiltration that precede encryption. Organizations in Germany can track the national threat picture on our Germany cyber profile, and follow this crew on the SafePay threat actor page.

IntelFusions will update this story if any of the named organizations confirm an incident or if SafePay releases the data it claims to hold.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions