The INC Ransom group has added BELFOR Asia to its dark web leak site, claiming exfiltration of 430GB of data spanning the disaster recovery firm's regional operations. The listing, surfaced by RedPacket Security on April 27, 2026, names BELFOR (Asia) Pte Ltd in Singapore and RecoveryPro Ltd in Japan, with claimed impact across six APAC markets. Note: RedPacket Security flags INC Ransom listings as historically prone to unverified or fabricated victim claims, so this entry should be treated as unconfirmed pending corroboration.

What Happened

INC Ransom posted BELFOR to its extortion blog, advertising a multi-national compromise of the firm's Asia-Pacific arm. The leak page identifies two named corporate entities, BELFOR (Asia) Pte Ltd headquartered in Singapore and RecoveryPro Ltd in Japan, and asserts a regional operational footprint spanning Singapore, Japan, Korea, Taiwan, Thailand, and Malaysia. The actor claims to be holding 430GB of exfiltrated data and has signaled a forthcoming public release, the standard double-extortion tactic used to pressure victims who refuse to pay. BELFOR is one of the world's largest property restoration and disaster recovery providers, giving any genuine breach outsized downstream exposure.

What Was Taken

According to the leak post, the stolen archive includes non-disclosure agreements, scanned passports, employee privacy files, employment contracts and HR records, health information, and a wide range of finance and payroll documents. The actor also claims to hold IT infrastructure and development materials, internal project records, building drawings, photographs of damage assessments, and internal operational documentation. Most strategically sensitive, the post lists prominent enterprise clients allegedly represented in the dataset, including Mitsubishi, Samsung, Toyota, Kawasaki Motors, Sony Technology, Fujifilm Business Innovation, Siemens, Seiko, and Nissan. If genuine, the corpus blends regulated personal data with commercial-in-confidence client engagement records.

Why It Matters

Disaster recovery and property restoration firms sit deep inside their clients' physical and operational footprints, often holding floor plans, security system layouts, incident reports, and post-loss damage documentation for blue-chip manufacturers. A confirmed compromise of BELFOR Asia would expose not only BELFOR's own employees and finances but also a rich trove of third-party client intelligence useful for follow-on targeting of named manufacturers across Japanese and Korean industrial supply chains. Scanned passports and employee privacy files raise immediate PDPA, APPI, and PIPA regulatory exposure across the listed jurisdictions. Even if the listing proves exaggerated, the named client roster makes this a notable supply chain signal for incident responders at the listed brands.

The Attack Technique

INC Ransom has not disclosed an initial access vector for this incident. The group's known tradecraft includes exploitation of internet-facing vulnerabilities in Citrix NetScaler and similar edge appliances, abuse of valid credentials obtained via phishing or infostealer logs, and use of legitimate administrative tooling such as AnyDesk, PsExec, and MEGA for lateral movement and exfiltration before deploying their Linux and Windows ransomware payloads. Data theft consistently precedes encryption, supporting the double-extortion model evident in this listing. No indicators of compromise specific to BELFOR have been published.

What Organizations Should Do

Sources: [INCRANSOM] - Ransomware Victim: BELFOR - RedPacket Security