Sydney-headquartered property investment firm Prime Properties has been named on the darknet leak site of newcomer ransomware group M3rx, with the threat actor claiming to have exfiltrated more than 81,000 files totalling roughly 100 gigabytes of corporate data. The listing, first reported by Cyber Daily on 1 May 2026, was posted on 29 April and represents one of the group's earliest confirmed Australian victims.

What Happened

On 29 April 2026, the M3rx ransomware operation added Prime Properties to its darknet extortion portal, claiming successful infiltration of the firm's environment and theft of approximately 100GB of data spanning at least 81,000 documents. The group has not yet published a ransom demand, a payment deadline, or any sample evidence of the alleged intrusion, a pattern consistent with early-stage extortion postings designed to pressure victims into private negotiations before proof-of-life leaks are released. Prime Properties had not responded to media requests for comment at the time of reporting, leaving the scope of the impact and the firm's incident response posture publicly unconfirmed.

What Was Taken

M3rx's claim of 81,000+ files at 100GB suggests bulk exfiltration of unstructured corporate data rather than a narrowly targeted document grab. For a property investment firm, the most likely sensitive content categories include investor records and capital commitment documentation, tenant and lease files, identity verification material collected during KYC and AML checks, internal financial statements, conveyancing and settlement paperwork, and email archives containing confidential commercial negotiations. Real estate firms also routinely hold high volumes of personally identifiable information including driver's licences, passport scans, and bank account details, all of which carry significant downstream fraud and identity-theft risk if leaked.

Why It Matters

M3rx is a freshly observed ransomware brand, with researchers tracking only eight victims since the group surfaced this week, drawn from the United Kingdom, United States, Australia, Germany, Italy, and Switzerland. The geographic spread indicates an opportunistic, access-broker-driven targeting model rather than a regional or vertical focus, meaning ANZ organisations of any size and sector should treat the group as a credible emerging threat. The Prime Properties listing also reinforces a continuing trend of ransomware crews targeting Australian real estate and property services firms, which often hold rich identity datasets while running comparatively lean security programs.

The Attack Technique

Initial access methodology for the Prime Properties intrusion has not been disclosed. However, IBM X-Force Exchange researchers have published preliminary analysis of the M3rx encryptor itself: the malware is a PE32+ x64 binary written in Go, ships with an embedded configuration block, drops a ransom note named RECOVERY_NOTES.TXT, appends the extension .8hmlsewu to encrypted files, and self-deletes via PowerShell after execution. M3rx uses X25519 for key exchange, a modern elliptic-curve scheme also seen in several recent ransomware families. The use of Go produces cross-platform-capable binaries with bulky static linking that can frustrate signature-based detection, while PowerShell-driven self-deletion is a common anti-forensics technique aimed at hampering post-incident triage.

What Organizations Should Do

1. Hunt for the known M3rx artefacts: files with the .8hmlsewu extension, ransom notes named RECOVERY_NOTES.TXT, and large unsigned Go-compiled PE32+ binaries executing from user-writable directories.
2. Tune EDR and SIEM rules to flag PowerShell processes invoked to delete a parent executable immediately after execution, a behavioural signature of the M3rx self-cleanup routine.
3. Audit external attack surface for exposed VPN, RDP, and remote management interfaces, enforce phishing-resistant MFA, and review access broker chatter for any mentions of your domain or supplier domains.
4. Validate that backups are immutable, segmented from production identity infrastructure, and recently restore-tested, since data theft alone still permits extortion even when encryption is contained.
5. For real estate and property firms specifically, review where KYC and identity documents are stored, ensure they are encrypted at rest with tightly scoped access, and confirm retention policies are not warehousing decade-old client records unnecessarily.
6. Prepare regulatory and customer notification playbooks aligned to the Australian Notifiable Data Breaches scheme, so that if M3rx escalates from listing to leak, response timelines are not the bottleneck.

Sources: Exclusive: Prime Properties listed as breach victim by M3rx ransomware - Cyber Daily