Sydney-headquartered property investment firm Prime Properties has been named on the darknet leak site of emerging ransomware group M3rx, with the threat actor claiming to have exfiltrated more than 81,000 files totalling roughly 100 gigabytes of company data. The listing, posted on April 29, marks one of the first significant ANZ-region victims attributed to the newly observed crew.

What Happened

M3rx, a ransomware operation only first observed in the past week, added Prime Properties to its darknet leak site on April 29, 2026. The group asserts it successfully infiltrated the firm's environment and exfiltrated a substantial archive of internal documents. As of publication, M3rx has not disclosed its ransom demand, has not stated a payment deadline, and has not posted any sample evidence to validate the breach. Prime Properties has not responded to media requests for comment, and the incident remains unconfirmed by the company.

What Was Taken

According to M3rx's leak site post, the haul includes:

• Approximately 100 gigabytes of corporate data
• At least 81,000 individual files

While the file types have not been disclosed, a property investment firm of this nature would typically hold highly sensitive client and counterparty data: identity documents used for KYC and AML checks, financial statements, contracts of sale, settlement records, trust account information, conveyancing correspondence, and tenant or investor records. Should the trove be released, the downstream identity-theft and fraud risk for affected clients would be considerable.

Why It Matters

The Prime Properties listing signals two important shifts for defenders. First, the Australian property and real estate sector continues to be a high-value target for extortion crews due to the volume of personally identifiable and financial information held during transactions. Second, M3rx represents yet another newcomer entering the crowded ransomware ecosystem at a moment when established brands are fragmenting. With only eight claimed victims to date, spanning Australia, the United States, England, Germany, Italy, and Switzerland, M3rx is opportunistic and geographically indiscriminate, suggesting broad scanning and commodity initial access rather than targeted operations.

The Attack Technique

The initial access vector used against Prime Properties has not been disclosed. However, researchers at IBM X-Force Exchange have begun profiling the M3rx encryptor itself. According to their early analysis, the ransomware is delivered as a PE32+ x64 binary written in Go, includes an embedded configuration block, and drops a ransom note named RECOVERY_NOTES.TXT during execution. The use of Go is consistent with a wider trend among newer ransomware developers seeking cross-platform portability and a steeper reverse-engineering curve. With only a handful of confirmed intrusions, tactics, techniques, and procedures around initial access, lateral movement, and exfiltration tooling are still being mapped.

What Organizations Should Do

Property, legal, and financial-services firms holding bulk client documentation should treat the M3rx listing as a prompt to revisit core controls:

1. Hunt for the known indicator: search endpoints and file shares for the artefact RECOVERY_NOTES.TXT and for unsigned PE32+ x64 Go binaries executing from user-writable directories.
2. Enforce phishing-resistant MFA across email, VPN, remote desktop, and any internet-exposed management consoles, as commodity credential abuse remains a leading entry point for newcomer crews.
3. Audit and segment file repositories holding KYC, settlement, and trust account data so that a single compromised endpoint cannot enumerate 80,000-plus documents in a single sweep.
4. Deploy egress monitoring and data-loss prevention rules to flag large outbound transfers to cloud storage providers and anonymising services frequently used for ransomware exfiltration staging.
5. Validate offline, immutable backups and rehearse restoration of conveyancing and accounting platforms under a simulated total-loss scenario.
6. Brief client-facing staff on the heightened risk of follow-on social engineering, including bogus settlement-redirect emails, that typically follows public exposure of property-sector data.

Sources: Sydney property firm listed on darknet after alleged cyber attack - Real Estate Business