Listen to this Post
In a new wave of cyberattacks emerging from the dark corners of the web, the ransomware group known as Safepay has claimed responsibility for breaching the Swiss electronics company Gravelec SA. This incident was detected and reported by the ThreatMon Ransomware Monitoring team on May 11, 2025, marking another victim in a rapidly growing list of ransomware casualties across Europe.
Cybersecurity researchers observed the announcement on a known ransomware leak site, where the attackers publicly listed the compromised organization — a method often used to pressure companies into paying the ransom. While the full extent of the breach has yet to be disclosed, this event once again underscores the vulnerability of mid-sized tech companies to targeted ransomware attacks.
the Incident
Date and Time of Detection: May 11, 2025, at 21:59 UTC+3.
Threat Actor Identified: Safepay ransomware group.
Victim: Gravelec SA, a Switzerland-based electronics and automation provider.
Source of Intel: ThreatMon Threat Intelligence Team.
Platform Used for Disclosure: Dark Web ransomware leak site.
ThreatMon Monitor Account: @TMRansomMon on X (formerly Twitter).
Nature of Attack: Ransomware deployment with potential data exfiltration and encryption of systems.
Visibility: Public post shared on May 12, 2025, accumulating traction within the cybersecurity monitoring community.
Group Background: Safepay is known for double-extortion tactics, threatening to leak stolen data if ransoms are not paid.
Ransom Demand: Not publicly disclosed at the time of reporting.
Response from Gravelec: No official statement released yet.
Potential Data at Risk: Internal business operations, customer records, supplier contacts, financial data.
Safepay’s Modus Operandi: Often exploits vulnerable RDPs, phishing entry points, and outdated VPNs.
ThreatMon’s Contribution: Early detection and sharing of Indicators of Compromise (IoCs) via GitHub and OSINT channels.
Community Alert: Raises alarms for similar SMEs across Europe, particularly in the electronics and automation sectors.
Context: Part of a broader spike in ransomware activity targeting manufacturing and logistics firms in Q2 2025.
Media Coverage: Limited at the time, but likely to grow as investigations unfold.
CISO Implications: Need for urgent threat intelligence integration and patch management protocols.
Cyber Insurance Risks: Such attacks can impact premium costs or payout eligibility.
Forensics Expected: Digital footprint tracing, endpoint analysis, and potential dark web negotiation traces.
Data Protection Law Ramifications: Possible violations of GDPR if personal data is compromised.
Global Reactions: Security communities are tracking Safepay’s increasing activity across the EU.
Lessons for Enterprises: Emphasize incident response playbooks, endpoint detection, and threat hunting.
Victim Profile: Likely chosen due to moderate size, insufficient cybersecurity posture, and limited public exposure.
Previous Targets by Safepay: Several SMEs across Eastern Europe and Latin America in Q1 2025.
Breach Vector Hypothesis: Possibly through spear-phishing or compromised third-party vendor.
What Undercode Say:
The Safepay ransomware case targeting Gravelec illustrates an ongoing pattern we’ve tracked at Undercode — the pivot of ransomware gangs from large corporations to smaller, more agile businesses that often lack layered security infrastructure. Gravelec, while not a household name, plays a critical role in industrial automation, making it an attractive target due to potentially valuable operational data and production continuity sensitivity.
From a technical perspective, Safepay is a relatively new entrant to the ransomware landscape but operates with tactics resembling well-established gangs like LockBit and Medusa. The group has exhibited an aggressive publishing strategy on leak sites, using visibility to pressure negotiations. What’s alarming is the increased speed between breach and public exposure — less than 24 hours in this case — suggesting pre-automated publishing pipelines or outsourced management of disclosure.
We’ve also noticed a notable trend in the selection criteria: businesses operating in countries with strong data privacy laws like GDPR are being targeted more, not less. The assumption seems to be that regulatory fines from leaked personal data will force victims to pay quickly.
ThreatMon’s reporting remains a vital part of the open-source intelligence (OSINT) ecosystem. Their ability to identify, timestamp, and broadcast such threats provides valuable early warnings not just for the direct victims but for entire industry verticals.
From a security posture viewpoint, this case highlights critical gaps still common in European SMEs:
Minimal internal incident response processes
Lack of segmentation in internal networks
Infrequent backup testing or offsite storage
No internal red team simulations
Weak visibility over dark web chatter and ransomware affiliate programs
We recommend SMEs immediately audit their RDP exposure, ensure MFA is enforced across all accounts, and monitor threat feeds from sources like ThreatMon and Shodan. Additionally, engaging in tabletop ransomware simulations with leadership can better prepare teams for real-world extortion events.
The future of ransomware
Fact Checker Results
- Victim Validation: The company gravelec.ch exists and operates in the electronics manufacturing sector in Switzerland.
- Threat Actor Confirmation: Safepay’s presence and activities are being tracked by multiple threat intel sources.
- Detection Source: ThreatMon is a verified and active threat intelligence provider; the post is publicly available on X.
Prediction
Based on current attack patterns and Safepay’s previous behavior, we predict that the group will intensify its focus on critical infrastructure firms with regional, rather than global, influence. If Gravelec does not pay the ransom or issue a public statement, data leaks may appear within days on Safepay’s dark web portal. We also foresee Safepay becoming more modular, possibly offering Ransomware-as-a-Service (RaaS) capabilities by Q3 2025, expanding its reach beyond self-executed attacks. For European SMEs, the coming months will likely see a rise in double-extortion attempts targeting firms perceived as soft targets due to regulatory pressure and low cyber maturity.
References:
Reported By: x.com
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
