On June 22, 2026, the ransomware group Aurora claimed responsibility for a cyberattack against NationsBuilders Insurance Services (NBIS), a US specialty insurance underwriter operating at nbis.com. According to the actor's own posting, the intrusion exposed an enormous volume of internal records: 2,748,845 filetree entries spread across 24 separate network shares. The claim was surfaced through dark web monitoring by DeXpose, which tracked the listing on Aurora's leak infrastructure.
What Happened
Aurora named NBIS as a victim on its leak site, framing the company as a high-value target in the US insurance sector. NBIS is a managing general underwriter founded in Atlanta in 2001 and acquired by Align Financial / DUAL North America (part of Howden Group) in August 2021. The firm specializes in niche commercial lines including crane and rigging, concrete-pumping, heavy-haul, and residential-builder insurance, meaning the data it holds spans both corporate operations and detailed policyholder risk profiles.
In its statement, Aurora claimed access to 24 shares covering core business systems. The named repositories include AIM and ImageRight (both common insurance policy administration and document imaging platforms), the claims and policy administration stores, and back-office functions such as HR, finance, and IT. The actor also asserts it reached a decade of M&A due diligence rooms, suggesting deep and persistent access rather than a smash-and-grab against a single endpoint.
The June 22 claim date reflects when the attack was publicly asserted by the group. As of this writing, the breach is based on the threat actor's leak-site posting and has not been independently confirmed by NBIS.
What Was Taken
The volume Aurora describes is significant: nearly 2.75 million filetree entries is consistent with a wholesale exfiltration of multiple file servers rather than a targeted theft of a single database. Based on the actor's description, the exposed data likely includes:
- Policy administration and underwriting records held in AIM and ImageRight
- Claims files, which in the insurance context routinely contain medical, financial, and legal documentation
- HR data covering employees, potentially including PII and payroll detail
- Finance and accounting records
- IT system documentation, which can include credentials, network maps, and configuration data useful for follow-on attacks
- M&A due diligence material spanning roughly ten years of acquisitions, often some of the most commercially sensitive documents an organization holds
For an insurance underwriter, claims and policy stores are especially damaging because they aggregate third-party personal and financial data belonging to insureds and claimants, not just the company itself.
Why It Matters
Insurance carriers and underwriters sit on dense concentrations of sensitive data, which makes them a recurring ransomware target. A breach of this scale at NBIS carries downstream risk for policyholders, claimants, business partners, and the broader Howden Group corporate structure.
The exposure of M&A due diligence rooms is a distinctive concern. Those archives can reveal valuations, confidential deal terms, and the internal financials of acquired or evaluated companies, creating extortion leverage well beyond NBIS itself. IT documentation in the stolen set also raises the prospect of re-compromise or lateral movement into affiliated entities if credentials and architecture details were captured.
For defenders across the financial and insurance sectors, this incident is a reminder that managing general underwriters and specialty carriers, often mid-sized, hold enterprise-grade volumes of regulated data and warrant enterprise-grade defenses.
The Attack Technique
Aurora has not published a technical account of the initial access vector, and the leak-site statement focuses on the breadth of data accessed rather than the intrusion method. The reference to 24 shares and decade-old diligence rooms points to broad lateral movement and access to centralized file storage, which is typically achieved after credential theft, exploitation of an exposed service, or compromise of a privileged account.
Ransomware operators in this category commonly gain entry through phishing, valid stolen or reused credentials sourced from infostealer logs, exposed remote access services, or unpatched perimeter appliances, then escalate privileges and enumerate file shares before exfiltrating data. Until NBIS or investigators release findings, the specific vector for this incident remains unconfirmed.
What Organizations Should Do
- Validate and isolate backups: keep current, encrypted, offline copies and use immutable backup solutions to resist encryption and deletion by ransomware.
- Run a compromise assessment: determine the entry point, the scope of exfiltrated data, and whether persistence mechanisms remain active before assuming the threat is contained.
- Enforce MFA and rotate credentials: require multi-factor authentication on all access points and reset credentials, prioritizing privileged and service accounts exposed to file shares.
- Monitor dark web and infostealer sources: watch leak sites, stolen-credential markets, and malware log dumps for data tied to your domains so exposure is caught early.
- Integrate threat intelligence: feed indicators of compromise into your SIEM or XDR for real-time alerting and correlation.
- Engage professional responders: involve incident response specialists and legal counsel before any contact with the ransomware group or ransom brokers.
Sources: Aurora Ransomware Attack on NationsBuilders Insurance Services - DeXpose