Australian environmental, social science, and engineering consultancy Earth Systems has been listed on the INC Ransom darknet leak site, with the group claiming exfiltration of at least 600 gigabytes of corporate data. The listing, first reported by Cyber Daily on 12 May 2026, was published to the group's leak portal on 7 May and has already been accompanied by proof samples including tax invoices, NDAs, client contracts, and mining project documentation.

What Happened

On 7 May 2026, an INC Ransom affiliate added Victoria-based Earth Systems to the group's dedicated leak site. The post claims the operators exfiltrated "full corp data nda client contract project" information totaling roughly 600GB. The affiliate has indicated the dataset will be released in three tranches, though only the size of the first batch has been disclosed. No ransom demand figure has been published publicly, but a countdown of approximately 12 days has been set before the next leak stage. Earth Systems has not yet issued a public response, and Cyber Daily reports that requests for comment remain unanswered.

What Was Taken

INC Ransom has published more than a dozen document scans and file directory screenshots as proof of compromise. Confirmed sample content includes:

• Tax invoices and financial correspondence
• Non-disclosure agreements with clients and partners
• Executed client contracts and subcontractor work authorisations
• Environmental and social impact assessments tied to mining projects
• Internal company correspondence

Because Earth Systems consults for major extractive-industry clients, the stolen documents reference several third-party global entities, particularly in the mining sector. This significantly extends the breach blast radius beyond Earth Systems itself, exposing project-sensitive information for downstream customers.

Why It Matters

Earth Systems operates internationally as an advisor on environmental management, water resources, mine closure, and social impact, meaning its file shares double as a repository of sensitive technical and commercial intelligence for some of the largest resource projects globally. A 600GB leak involving NDAs and impact assessments creates immediate downstream risk for clients whose proprietary site data, regulatory exposure, and contractual terms may now be exposed to competitors, activists, or follow-on extortion. The staged three-part release model also signals an extended pressure campaign, increasing the likelihood that initial samples are designed to coerce payment before the most damaging records surface.

The Attack Technique

INC Ransom and its affiliates have historically gained initial access through phishing, exploitation of public-facing applications (notably Citrix NetScaler and edge VPN appliances), and the use of valid credentials purchased from initial access brokers. Post-compromise tradecraft typically includes living-off-the-land tooling, AnyDesk or similar remote management software for persistence, and bulk exfiltration via WinSCP, MEGAsync, or Rclone prior to encryption. The Earth Systems listing does not specify an intrusion vector, and it remains unclear whether encryption was deployed alongside data theft or whether this is a pure extortion event.

INC Ransom Group Context

First observed in August 2023, INC Ransom has now claimed 798 victims and has climbed the leaderboard of active extortion operators in recent weeks, moving up from fifth most active. The brand operates a Ransomware-as-a-Service model, with affiliates conducting intrusions and the operators running the leak infrastructure and negotiation portals. The group has shown a pattern of targeting professional services, healthcare, and consulting firms holding sensitive third-party data, where extortion leverage is amplified by client confidentiality obligations.

What Organizations Should Do

1. Audit edge appliances now. Patch and review logs for Citrix, Fortinet, SonicWall, and VPN concentrators commonly abused by INC affiliates for initial access.
2. Hunt for unauthorised RMM tooling. Block or alert on AnyDesk, ScreenConnect, Atera, and Splashtop installations not sanctioned by IT.
3. Monitor outbound transfer tooling. Detect Rclone, MEGAsync, and WinSCP execution from servers and unusual large egress flows to cloud storage providers.
4. Enforce phishing-resistant MFA on all remote access, privileged accounts, and email, and rotate credentials exposed in any historical infostealer logs.
5. Engage downstream clients proactively if your organization shares data with Earth Systems or holds joint mining project documentation, and pre-position legal and PR responses ahead of the next leak tranche.
6. Validate offline, immutable backups and rehearse a data-extortion-only playbook, since INC operations increasingly favour theft over encryption.

Sources: Exclusive: Aussie firm Earth Systems listed by INC Ransom hacking group - Cyber Daily