The SafePay ransomware group has announced a successful cyberattack against Xortec GmbH, a German professional video surveillance provider, adding the company to its dedicated data leak site. The group, which employs double extortion tactics to both steal and encrypt data, has set a looming ransom payment deadline for the Frankfurt-based firm: October 27, 2025.
Xortec GmbH serves as a value-added distributor and systems integrator specializing in IP networking, security solutions, and professional video surveillance. Acquired by Beyond Capital Partners in 2021, the company is a fast-growing B2B firm headquartered in Frankfurt with offices throughout Germany. With an annual revenue exceeding €7.5 million and several dozen employees, Xortec focuses on delivering large installation projects and supplying essential equipment, including cameras, network video recorders (NVRs), access control systems, and associated cabling.
The company’s clientele is entirely B2B, consisting of system houses, specialist installers, resellers, and system integrators that operate globally, with a strong focus on the DACH region (Germany, Austria, Switzerland). Xortec’s offerings are integral to security infrastructure across a wide array of sectors. These span logistics, retail, public and private infrastructure, and numerous critical facilities, given the company’s core focus on communications and video surveillance solutions.
Due to Xortec’s integral role within the security supply chain, the breach presents a significant, multi-tier risk far exceeding the compromise of a single company. Attackers could potentially leverage this access to backdoor hardware or software used by downstream installers, thereby exposing client data, internal surveillance layouts, or sensitive shipment records. Furthermore, the successful compromise or alteration of firmware could damage trust in thousands of deployed security systems, while a disruption to logistics could impact resellers and critical sectors like transport or utilities.
SafePay is a relatively new but rapidly growing independent ransomware operation, known to have been active since late 2024, that utilizes the dual method of stealing data before encryption. The group maintains a high operational tempo, often conducting data theft and encryption within 24 hours of gaining access to a network. SafePay targets global organizations across key sectors, including government, healthcare, and manufacturing, and notably avoids compromising Russian systems, which suggests a probable Eastern-European origin.
Reference:
