Boots Transport Ransomware Claim by SafePay (May 2026)

Claim Summary

The ransomware group SafePay has allegedly claimed responsibility for a cyberattack against Boots Transport, a Canadian transportation and logistics company operating at bootstransport.ca. According to the group’s leak site post dated May 4, 2026, the threat actor claims to have compromised the organization’s systems and exfiltrated data. The post describes Boots Transport as a company specializing in freight delivery and supply chain services, primarily operating in Canada. The volume of allegedly stolen data remains undisclosed, and no samples or proof-of-compromise have been publicly released by the group at this time.

This claim has not been independently verified by Yazoul Security. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into negotiations. Boots Transport has not issued a public statement regarding this incident.

Threat Actor Profile

SafePay is a relatively opaque ransomware group with limited public tracking. The group’s total known victim count is unknown, and no dedicated public research reports exist on their operations. Based on observed tooling, SafePay appears to employ a combination of living-off-the-land (LotL) techniques and commodity tools to move laterally and exfiltrate data.

Known tools and tactics associated with SafePay include:

• Invoke-ShareFinder: A PowerShell script used to enumerate network shares, indicating a focus on data discovery and collection.
• 7-Zip and WinRAR: Archive utilities likely used to compress stolen data for exfiltration.
• CMSTPLUA: A Microsoft signed binary that can be abused for bypassing User Account Control (UAC).
• dllhost.exe and Regsvr32.exe: Legitimate Windows processes that can be hijacked to execute malicious code or load DLLs, often used to evade detection.

The group’s credibility is difficult to assess due to the lack of a verifiable track record. Without prior confirmed attacks or public disclosures, this claim should be treated with heightened skepticism until independent evidence emerges.

Alleged Data Exposure

SafePay claims to have exfiltrated data from Boots Transport, but has not specified the type or volume of information allegedly stolen. Based on the transportation and logistics sector, potential data exposure could include:

• Customer shipping manifests and delivery records
• Employee personal identifiable information (PII)
• Supply chain partner contracts and agreements
• Operational data such as route planning and fleet management details

No data samples, screenshots, or file listings have been provided by the threat actor to substantiate these claims. The absence of proof is a common tactic used by low-credibility groups to bluff victims into paying ransoms.

Potential Impact

If the claim is verified, Boots Transport could face significant operational disruption, including:

• Service interruptions: Ransomware encryption may affect freight scheduling, dispatch systems, and customer portals.
• Regulatory scrutiny: As a Canadian company handling sensitive logistics data, Boots Transport may be subject to privacy breach notification requirements under PIPEDA.
• Reputational harm: Clients and partners may reconsider contracts if data security is compromised.
• Financial costs: Incident response, forensic investigation, and potential ransom demands could strain resources.

However, given the lack of evidence, these impacts remain speculative at this stage.

What to Watch For

• Official confirmation: Monitor Boots Transport’s website (bootstransport.ca) and corporate communications for any breach notifications.
• Data leaks: If SafePay releases samples or a full data dump, the authenticity of the claim can be assessed.
• Industry alerts: Canadian transportation and logistics firms should review their own defenses against SafePay’s known tactics, particularly PowerShell abuse and archive-based exfiltration.
• Detection guidance: No YARA rules or specific detection signatures are publicly available for SafePay. Organizations should monitor for anomalous use of Invoke-ShareFinder, 7-Zip, or WinRAR in conjunction with network share enumeration.

For ongoing tracking of this and other ransomware claims, refer to Yazoul Security’s threat intelligence portal at /intel/.

Disclaimer

This report is based solely on unverified claims published by the ransomware group SafePay on their leak site. Yazoul Security has not independently confirmed the compromise of Boots Transport, the theft of any data, or the authenticity of the threat actor’s statements. Ransomware groups routinely fabricate or exaggerate attacks to coerce victims. This information is provided for situational awareness and should not be acted upon without further verification. No PII, credentials, download links, or access methods are included in this report.