Attack alert: safepay targets barnet.com.au - AU

Introduction

On December 5, 2025, the SafePay ransomware group claimed responsibility for a cyberattack against Barnet, an Australian industrial equipment distributor established in 1946. With revenues exceeding AU$100 million and a team of 100 to 250 employees, the Australian-based company faced a SIGNAL-level breach according to the XC-Classify methodology. This intrusion potentially threatens the B2B customer data, inventories, and critical ERP systems of this industrial distribution organization.

The attack comes amid a context where the industrial distribution sector in Australia is becoming a prime target for malicious actors, exploiting the growing reliance on digital systems for supply chain management. Data certified on the Polygon blockchain via the XC-Audit protocol confirms the authenticity of this claim, ensuring immutable traceability of the incident.

Analyse détaillée

Analysis of extracted metadata reveals that SafePay continues its offensive activity against industrial sector organizations, specifically targeting critical distribution infrastructure. This compromise raises urgent questions about the resilience of information systems in the Australian B2B ecosystem, where interconnections between suppliers and customers create extensive attack surfaces.

SafePay is an active malicious actor in the ransomware ecosystem, maintaining a consistent presence in the cyber threat landscape. The cybercriminal collective operates according to a double extortion model, combining system encryption with the threat of publishing exfiltrated data to maximize pressure on victims.

A review of SafePay's previous campaigns shows a marked preference for industrial sector organizations, where operational disruptions quickly generate significant financial losses. Attackers typically exploit vulnerabilities in internet-exposed systems, including poorly secured RDP access and outdated web applications.

The group's modus operandi favors a methodical approach: initial reconnaissance of target infrastructures, compromise of privileged access, lateral movement within the network, and then mass exfiltration of data before the ransomware is deployed. This strategy allows cybercriminals to maximize their negotiating leverage by simultaneously holding the decryption keys and sensitive data.

→ Full analysis of the SafePay group reveals that the malicious actor maintains a dedicated leak infrastructure to publish the data of victims who refuse to pay the ransom. The deadlines granted generally range from 7 to 14 days, creating intense time pressure on the compromised organizations.

SafePay's previous victims are primarily from the manufacturing, logistics, and distribution sectors, suggesting a deliberate sector specialization. This focus allows the group to develop in-depth expertise in ERP systems, WMS, and other business applications critical to these industries.

Founded in 1946, Barnet has established itself as a major distributor of industrial and electrical equipment in the Australian market. With nearly 80 years of history, the company has developed an extensive network of B2B customers across Australia, managing complex inventories and multiple supply chains.

The organization employs between 100 and 250 people and generates annual revenue exceeding AU$100 million, demonstrating its importance within the country's industrial distribution ecosystem. Its established market presence involves extensive business relationships with international manufacturers and local industrial customers.

Barnet's information systems likely include Enterprise Resource Planning (ERP) platforms for managing orders, inventory, and invoicing, as well as customer databases containing sensitive contractual and commercial information. This digital infrastructure forms the operational backbone of the company, making any disruption particularly critical.

The Barnet breach poses a significant risk to its B2B ecosystem, where business partners could see their contractual information, purchase volumes, and pricing terms exposed. In the industrial distribution sector, this data constitutes strategic assets, and its disclosure could affect competitive positions.

The SIGNAL classification, based on the XC-Classify methodology, indicates confirmed data exposure, but the exact nature and volume are still being analyzed by our teams. This level suggests that SafePay did indeed exfiltrate information from Barnet's systems, without immediate details on the specific data categories involved.

Our analysis of verified claims reveals that ransomware groups targeting the industrial distribution sector typically prioritize the exfiltration of customer databases, financial files, commercial contracts, and operational data. This information has high market value and provides effective leverage against victims.

The initial attack vector remains under investigation, but breaches in the industrial sector frequently result from exposed RDP access without multi-factor authentication, unpatched vulnerabilities in web applications, or phishing campaigns targeting privileged employees. Barnet's decades-long digital infrastructure may contain vulnerable legacy components.

The incident timeline indicates a public claim of responsibility on December 5, 2025, but the initial compromise may have occurred several weeks prior. Malicious actors typically maintain a prolonged, covert presence on compromised networks to maximize data exfiltration before the ransomware is deployed.

→ Understanding XC Criticality Levels helps to understand that the SIGNAL level is an early indicator requiring ongoing monitoring. The progression to MINIMAL, PARTIAL, or FULL levels will depend on subsequent analysis and any data releases by SafePay.

The risks to the exposed data include the fraudulent use of business information, targeted phishing attacks against Barnet customers using legitimate data, and the exploitation of contract information by competitors. B2B partners should anticipate social engineering attempts exploiting this compromise.

The industrial distribution sector in Australia faces increasing exposure to cyberattacks, as interconnected systems create cascading vulnerabilities. A compromise at a major distributor like Barnet can affect the entire supply chain, from manufacturers to end customers.

Australian regulations impose strict obligations through the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, requiring notification to authorities and affected individuals in the event of a breach likely to cause significant harm. Barnet has 30 days to assess the incident and notify the Office of the Australian Information Commissioner (OAIC).

→ Other attacks in the Industrial Distribution sector reveal a worrying trend: distributors are becoming prime targets because their compromise provides indirect access to multiple client organizations. Cybercriminals exploit this central position within B2B ecosystems.

Similar companies in the sector should anticipate the risk of a chain reaction, as SafePay and other groups could exploit information obtained from Barnet to target its business partners. Exfiltrated data often reveals contractual relationships, systems used, and security practices, facilitating subsequent attacks.

Precedents in the sector show that operational disruptions at distributors quickly generate shortages for industrial customers, creating significant economic pressure. This dynamic explains why malicious actors favor these targets, anticipating higher ransom payment rates.

Thanks to the XC-Audit protocol, this attack is certified on the Polygon blockchain, guaranteeing immutable and verifiable traceability, unlike traditional centralized systems. The cryptographic hash of the claim allows any interested party to verify the authenticity and timestamp of the incident.

Conclusion

This blockchain certification offers unprecedented transparency in the documentation of cyberattacks. Organizations, researchers, and authorities can consult the cryptographic evidence without relying on intermediaries, eliminating the risk of manipulation or falsification of incident data.