Disaster recovery and property restoration giant BELFOR has confirmed that the INC Ransom group breached the IT infrastructure supporting all BELFOR entities across Asia on April 16, 2026. The incident, formally disclosed in a final report published on June 5, 2026, resulted in the theft of personally identifiable information (PII) and sensitive business records, prompting the company to permanently decommission the compromised environment and rebuild from scratch.
What Happened
On April 16, 2026, BELFOR identified a security incident affecting the IT infrastructure of all BELFOR entities operating in Asia. The threat actor was identified as INC Ransom, a well-known extortion-focused ransomware operation that announced the theft on its dark web leak blog. According to BELFOR's final report, there is no confirmed evidence at this stage that the exfiltrated data has been disseminated or misused beyond the initial publication on the gang's leak site.
Upon confirming the compromise, BELFOR took the unusual but decisive step of permanently shutting down the affected systems on the same day. Those systems will not be returned to service. Instead, the company rebuilt its entire Asian IT environment from scratch, with no reuse of any compromised components. The new environment is being managed by BELFOR Europe GmbH, the ISO/IEC 27001 certified parent company of BELFOR (Asia) Pte Ltd.
What Was Taken
The leaked dataset, as posted by INC Ransom and acknowledged by BELFOR, contains two primary categories of data:
- Personally identifiable information (PII) belonging to individuals associated with BELFOR's Asia operations, which likely includes employee and customer records.
- Business-related information, including damage documentation and site photographs tied to BELFOR's disaster restoration projects across the region.
While BELFOR has not publicly quantified the volume of stolen data, the inclusion of site photographs and damage documentation is notable. As a property restoration and disaster recovery firm, BELFOR holds detailed records about client premises, insurance claims, and post-incident remediation that could expose customers to follow-on social engineering or physical security risk.
Why It Matters
BELFOR is one of the largest disaster recovery and property restoration firms in the world, serving commercial, industrial, and residential clients in the aftermath of fire, flood, and storm events. A compromise of this scale carries several strategic implications:
- Supply chain exposure. BELFOR's clients are, by definition, organizations recovering from crises. Leaked documentation could reveal facility layouts, security weaknesses, and recovery procedures of downstream victims.
- Insurance and claims ecosystem risk. Damage documentation and photographs frequently feed insurance workflows. Threat actors holding this data have a ready-made target list for fraud and impersonation.
- INC Ransom's growth trajectory. The group continues to demonstrate the capability to compromise multi-national enterprises with regional IT environments, mirroring tactics seen in attacks on healthcare, manufacturing, and professional services across 2025 and 2026.
- Bold remediation precedent. BELFOR's decision to permanently retire the compromised environment rather than restore it sets a noteworthy benchmark for incident response in cases where trust in the underlying infrastructure cannot be re-established.
The Attack Technique
BELFOR's final report does not disclose the initial access vector, the specific malware family deployed, or the dwell time before detection. INC Ransom, however, is known for the following tradecraft observed in prior intrusions:
- Exploitation of internet-facing edge devices, VPN appliances, and unpatched remote access services.
- Use of compromised credentials sourced from infostealer logs or initial access brokers.
- Heavy reliance on legitimate administrative tools (PsExec, AnyDesk, PowerShell) for lateral movement.
- Exfiltration prior to encryption, with extortion driven primarily by the threat of public leak rather than operational disruption.
The fact that BELFOR opted to fully rebuild rather than remediate in place suggests the intrusion achieved deep, persistent access across the regional environment, likely including identity infrastructure.
What Organizations Should Do
Defenders, particularly those operating in professional services, insurance, and restoration verticals, should take the following steps in response:
- Hunt for INC Ransom indicators. Review threat intelligence feeds for the latest IOCs associated with INC Ransom, including known command-and-control infrastructure and tooling hashes, and sweep environments for matches.
- Audit edge and remote access exposure. Inventory VPN concentrators, firewalls, and remote access gateways. Patch aggressively and require phishing-resistant MFA on all external authentication paths.
- Segment regional IT estates. Multinational organizations should avoid flat trust relationships between regional environments. Compartmentalization limits blast radius when one region is compromised.
- Validate offline, immutable backups. Confirm that backups exist outside the production identity boundary and that restoration procedures have been tested against a full-environment-loss scenario.
- Plan for rebuild, not just recovery. Develop and exercise playbooks that include the option of standing up a clean environment from scratch when compromise depth makes remediation untenable.
- Notify and protect downstream clients. Restoration and professional services firms holding sensitive client data should proactively warn customers whose project records may be in the leaked dataset and watch for targeted phishing or fraud.