On June 2, 2026, the SafePay ransomware group publicly claimed responsibility for a cyberattack against IQL-Nog (iql-nog.com), a leading Spanish producer of oleochemical products. The group has issued a ransom demand and threatened to publish exfiltrated data on its leak site unless the company opens negotiations through SafePay's designated channels.
What Happened
SafePay added IQL-Nog to its dark web leak portal on June 2, 2026, accompanied by a coercive statement: "The full leak will be published soon, unless a company representative contacts us via the channels provided." The listing follows SafePay's established double-extortion playbook, in which victims are pressured both by encryption of operational systems and by the threat of public data disclosure. IQL-Nog operates in Spain's industrial chemistry sector, manufacturing oleochemical derivatives used across cosmetics, lubricants, and food-grade applications, placing the company within the broader European industrial supply chain that ransomware affiliates have increasingly prioritized throughout 2026.
What Was Taken
SafePay has not yet published sample files or a detailed inventory of the stolen data, a tactic the group typically uses to maximize negotiating leverage during the pre-leak countdown window. Based on the operator's prior victim postings, exfiltrated archives commonly include production formulations and proprietary chemical specifications, financial records and accounting exports, employee personal data and HR documentation, customer and supplier contracts, and internal email correspondence. The full scope of the IQL-Nog breach is expected to surface either through partial sample drops in the coming days or, failing payment, a complete dump on SafePay's onion-hosted blog.
Why It Matters
The targeting of an oleochemical producer underscores SafePay's continued focus on mid-market industrial manufacturers across Europe, where operational technology dependencies make production downtime particularly costly and ransom payment more likely. Spain has emerged as a recurring jurisdiction in SafePay's victim distribution, alongside Germany and the United Kingdom. For defenders in the chemical and process manufacturing verticals, the incident reinforces the convergence of IT and OT risk: a ransomware intrusion that begins in corporate email or VPN infrastructure can quickly degrade plant operations, disrupt downstream customers, and expose sensitive intellectual property tied to proprietary chemical processes.
The Attack Technique
SafePay has not disclosed the specific initial access vector used against IQL-Nog. The group's operators have historically relied on exposed Remote Desktop Protocol endpoints, compromised VPN credentials harvested from infostealer logs, and the exploitation of unpatched perimeter devices. Once inside, SafePay affiliates typically disable endpoint defenses, abuse legitimate administrative tools such as PsExec and PowerShell for lateral movement, and stage data exfiltration through cloud storage services or WinRAR archives before deploying the encryptor. The group's binary is known to append the .safepay extension and drop a ransom note named readme_safepay.txt across affected hosts.
What Organizations Should Do
Defenders in the chemical, manufacturing, and broader European industrial sectors should treat this incident as a prompt for the following actions:
- Audit external exposure: Inventory all internet-facing RDP, VPN, and remote management services, disable what is not strictly required, and place the rest behind MFA and conditional access controls.
- Hunt for infostealer exposure: Cross-reference corporate domains against stealer log marketplaces and known SafePay precursor indicators to identify credentials already in circulation.
- Validate offline backups: Confirm that critical system and production data backups are immutable, segregated from domain authentication, and recoverable within documented RTO windows.
- Segment IT and OT networks: Enforce strict boundaries between corporate IT and plant control systems to prevent ransomware from cascading into operational technology.
- Update incident response playbooks: Pre-engage external counsel, forensic responders, and ransomware negotiators so decisions are not made under live extortion pressure.
- Deploy behavioral detections: Tune EDR for known SafePay TTPs, including shadow copy deletion, service stoppage of antivirus processes, and bulk file rename events characteristic of the encryption routine.
Sources: SafePay Ransomware Strikes IQL-Nog in Spain - DeXpose