Australian engineering solutions firm Metaval has been listed on the dark web leak site of the INC Ransom threat group, which claims to have exfiltrated 80 gigabytes of data from the company. The listing, which appeared over the weekend, threatens to publish the stolen data within roughly 24 hours. The incident was first reported by Cyber Daily on 19 May 2026, though no independent proof of compromise has yet been released and Metaval has not publicly confirmed the intrusion.
What Happened
INC Ransom, a Russian-speaking ransomware-as-a-service (RaaS) operation, added Metaval to its dark web extortion portal over the weekend of 17 to 18 May 2026. The post claims the operators have stolen 80GB of internal data and sets a publication countdown of just over one day, a pressure tactic consistent with the group's standard double-extortion playbook. At the time of reporting, the threat actors had not posted sample files or proof packs to substantiate the claim, and there is no public confirmation from Metaval regarding the scope, timing, or impact of the alleged intrusion.
Metaval is a global mechanical engineering and manufacturing firm headquartered in Australia, with operational footprints across the United Arab Emirates and India. The company supplies heavy-duty industrial equipment, precision-engineered components, and broader engineering services to critical infrastructure operators worldwide.
What Was Taken
INC Ransom claims to have exfiltrated 80GB of data from Metaval's environment. The specific contents of the dataset have not been disclosed by the threat actor and no samples have been published. Based on Metaval's line of business, data of likely interest to an extortion operator would include:
- Engineering drawings, CAD files, and proprietary precision component schematics
- Project documentation tied to critical infrastructure clients across Australia, the UAE, and India
- Supplier and customer contracts, pricing, and tendering material
- HR records, payroll, and identity documents for staff across multiple regions
- Internal financial records and accounting data
Until the deadline expires or a proof pack is released, the true sensitivity and exposure remain unverified.
Why It Matters
Metaval sits in the supply chain for critical infrastructure operators across at least three regions. A breach of an engineering services provider often carries downstream consequences that extend well beyond the victim itself, with attackers potentially gaining insight into client facilities, control system specifications, project schedules, and access pathways into operational technology (OT) environments.
INC Ransom has a track record of following through on its publication threats when negotiations stall, and the group's leak site has previously hosted full data dumps from manufacturing, healthcare, and government victims. Australian manufacturing and engineering firms have become an increasingly attractive target for ransomware operators in 2025 and 2026, driven by their mix of valuable intellectual property and historically uneven OT security maturity.
The Attack Technique
INC Ransom typically operates as a ransom-as-a-service affiliate model and has been observed using spear-phishing as its primary initial access vector. Common follow-on tradecraft attributed to the group and its affiliates includes:
- Spear-phishing emails delivering loaders or harvesting credentials
- Exploitation of exposed remote access services, including unpatched VPN and Citrix appliances
- Use of legitimate administrative tooling (PsExec, WMI, PowerShell) for lateral movement
- Deployment of Cobalt Strike and other commodity post-exploitation frameworks
- Staged exfiltration to cloud storage services before encryption or data publication
The group's hallmark is double extortion: data theft first, followed by encryption and a public countdown on its leak portal to coerce payment.
What Organizations Should Do
Engineering, manufacturing, and critical infrastructure suppliers should treat the Metaval listing as a prompt to validate defences against INC Ransom tradecraft:
- Harden email and identity perimeters: enforce phishing-resistant MFA, deploy advanced email filtering, and run targeted phishing simulations for engineering and finance staff.
- Patch and inventory external attack surface: prioritise VPN concentrators, Citrix gateways, and any internet-exposed remote access, and decommission unused services.
- Hunt for known INC Ransom indicators: review EDR telemetry for anomalous PsExec, WMI, and PowerShell activity, and inspect outbound traffic to cloud storage providers for unusual volumes.
- Segment OT and engineering design networks from corporate IT, and enforce strict egress controls on systems holding CAD, PLM, and project data.
- Verify offline, immutable backups for all engineering and project repositories, and test restoration end to end.
- Engage third-party suppliers and clients connected to Metaval to assess any shared credentials, VPN trust relationships, or document exchange channels that may require rotation.
Sources: Exclusive: INC Ransom claims cyber attack on Australian engineering service company