On May 22, 2026, the ransomware collective known as APT73/Bashe publicly claimed responsibility for a cyberattack against Minsa S.A.B. de C.V. (minsa.com.mx), one of Mexico's largest producers of nixtamalized corn flour (masa harina). The group posted a notice threatening a full data leak unless the company opens negotiations immediately, escalating pressure on a critical food-sector supplier. The claim was first surfaced by threat intelligence firm DeXpose, which is tracking the group's leak-site activity.
What Happened
APT73/Bashe added Minsa to its public extortion portal on May 22, 2026, accompanied by a statement reading: "Minsa's security systems have been compromised. Full data leak imminent unless negotiations commence immediately." The posting follows the group's standard double-extortion playbook, in which victims are publicly named on a dark-web leak site to coerce payment before stolen data is dumped. As of publication, Minsa has not issued public confirmation of the intrusion, but the group's listing pattern historically aligns with confirmed compromises rather than fabricated claims.
What Was Taken
APT73/Bashe has not yet released sample data or specified the volume of records exfiltrated. Given the group's tactics in prior incidents, the staged leak is likely to contain a mix of internal corporate documents, employee personal information, financial records, supplier and logistics data, and operational technology documentation tied to Minsa's milling and distribution operations. Any compromise of supplier contracts or grain-procurement data could carry downstream consequences across Mexico's masa supply chain.
Why It Matters
Minsa is a strategic player in Mexican food security, supplying masa harina used in tortillas and other staples consumed daily across the country. A successful ransomware attack against the company highlights the continuing trend of threat actors targeting food and agriculture as critical infrastructure, where operational downtime carries both economic and social pressure. APT73/Bashe has gained notoriety throughout 2025 and 2026 for hitting mid-market and enterprise targets across Latin America, often demanding rapid negotiation windows. The Minsa listing reinforces that Mexican industrial firms remain a high-priority target set.
The Attack Technique
The specific initial access vector used against Minsa has not been disclosed. APT73/Bashe, which has been linked publicly to LockBit-derived tooling and shares overlap with the Eight Base extortion brand, has historically relied on a combination of phishing, exploitation of internet-facing applications (including unpatched VPN and remote-access appliances), and the purchase of valid credentials from infostealer log markets. Once inside, the group typically performs lateral movement using legitimate administrative tools, escalates privileges, exfiltrates data to attacker-controlled infrastructure, and then deploys ransomware payloads to encrypt critical systems before publishing victims to its leak site.
What Organizations Should Do
- Hunt for known APT73/Bashe indicators of compromise across endpoint, network, and identity telemetry, with particular attention to anomalous use of remote-management tools and bulk data egress.
- Audit external attack surface for exposed RDP, VPN, and file-transfer appliances, and confirm all internet-facing systems are patched against known exploited vulnerabilities.
- Validate offline, immutable backups for critical systems and rehearse restoration procedures under ransomware-scenario conditions.
- Enforce phishing-resistant multi-factor authentication on all remote access and privileged accounts, and rotate credentials known to appear in infostealer log dumps.
- Monitor dark-web leak sites and credential markets for mentions of corporate domains, executive identities, and supplier relationships to surface pre-extortion warning signs.
- Engage incident response counsel and specialized negotiators before any contact with the threat actor, and coordinate disclosure with relevant Mexican regulators and law enforcement.
Sources: APT73/Bashe Launches Ransomware Attack on Minsa - DeXpose