Australian energy management and consulting firm Energy Action has been listed on the dark web leak site of the SafePay ransomware gang, with threat actors claiming to have stolen company data and threatening public release within days. The listing appeared on 1 May 2026, and as of reporting, Energy Action has not publicly disclosed the incident.

What Happened

SafePay added Energy Action to its dark web leak site on 1 May 2026, claiming to have exfiltrated data from the Australian firm. The group has not disclosed specific details of the intrusion, including initial access vector, dwell time, or the volume of data taken. SafePay set a countdown timer threatening to leak the allegedly stolen data in just over two days from the time of reporting, applying the standard double-extortion pressure tactic to force payment. Energy Action has yet to publicly confirm or deny the breach, and Cyber Daily reported it has reached out to the company without receiving a response.

What Was Taken

SafePay has not published samples or a manifest of the allegedly stolen data, leaving the exact scope unknown. As an energy management and consulting firm serving Australian businesses, Energy Action would typically hold sensitive client information including commercial energy consumption data, contract details with retailers, procurement strategy documents, billing records, and corporate sustainability reporting tied to net-zero commitments. Any leak could expose competitive procurement intelligence, client identities across multiple sectors, and internal financial and HR records typical of a consulting practice.

Why It Matters

Energy Action sits in a sensitive position in the Australian energy ecosystem, advising businesses on consumption patterns, retailer contracts, and emissions strategy. A breach of an energy advisory firm provides attackers with downstream visibility into the energy posture of numerous Australian corporates, creating both extortion leverage against the consulting firm itself and potential follow-on targeting risk for its client base. The incident reinforces an ongoing pattern of ransomware operators prioritising critical infrastructure adjacent targets, where regulatory scrutiny, contractual confidentiality obligations, and client trust amplify pressure to pay. It is also the second confirmed Australian SafePay victim in recent weeks following Genealogy SA.

The Attack Technique

SafePay has not disclosed the initial access vector or tooling used in the Energy Action incident. The group, first observed in October 2024, has historically been associated with intrusions leveraging compromised VPN and RDP credentials, exploitation of unpatched perimeter devices, and rapid post-compromise lateral movement before deploying its encryptor. SafePay publicly states it is not a ransomware-as-a-service operation, suggesting a closed affiliate model with tighter operational discipline. Since emerging, the group has claimed more than 450 victims across Australia, the UK, US, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina.

What Organizations Should Do

1. Audit external-facing VPN, RDP, and remote management interfaces, enforcing MFA and disabling any legacy authentication paths SafePay-aligned intrusions have historically abused.
2. Patch perimeter appliances (firewalls, VPN concentrators, file transfer products) on an accelerated cycle and confirm no known-exploited vulnerabilities remain exposed.
3. Hunt for SafePay tradecraft indicators including suspicious ShareFinder activity, abnormal use of PowerShell and PsExec, and unusual archive creation via WinRAR or 7-Zip preceding exfiltration.
4. Segment consulting and client-facing environments from internal corporate networks to limit blast radius if an advisory firm or partner is compromised.
5. Validate offline, immutable backups and rehearse restoration of critical billing, contract, and client data systems under a ransomware scenario.
6. Brief executive and legal teams on Australian mandatory data breach notification obligations under the Privacy Act so disclosure timelines are pre-agreed if extortion materialises.

Sources: Exclusive: Australian energy management firm allegedly breached by SafePay - Cyber Daily