M3rx Ransomware Breach Exposes 100GB of Prime Properties Data

Prime Properties operates from Kensington, Sydney, offering property investment, building management and consultancy services. The firm has not commented on the alleged breach, and M3rx has not posted proof or disclosed a ransom demand. The group listed the victim on its darknet leak site the same day.

- M3rx claims eight victims worldwide since its emergence this week, spanning England, the United States, Australia, Germany, Italy and Switzerland. - IBM X‑Force analysis shows the ransomware is a PE32+ x64 Go sample that drops RECOVERY_NOTES.TXT, renames encrypted files with .8hmlsewu, performs X25519 key exchange, encrypts content with AES‑CTR, and wraps each file key with AES‑GCM. - The encryptor clears the Recycle Bin and deletes itself via PowerShell after execution. - The ransom note states files were stolen and encrypted, demands Bitcoin after negotiation, and threatens publication. - No ransom amount, payment deadline or leaked data has been released by the group.

The attack highlights a ransomware variant that combines modern cryptography with self‑removing tactics, making detection reliant on behavioral indicators such as the .8hmlsewu extension and PowerShell cleanup. Organizations should monitor for those artifacts and review email and web‑gateway controls, as the initial infection vector is still under investigation. What Defenders Should Do - Apply YARA rules matching the RECOVERY_NOTES.TXT string and .8hmlsewu extension. - Block execution of unknown PowerShell scripts; enforce Constrained Language mode where possible. - Ensure backups are offline and immutable; test restoration regularly. - Segment networks to limit lateral movement and enforce least‑privilege access. - Watch for IOCs released by IBM X‑Force (SHA256/MD5 hashes) and update endpoint detection signatures. What to watch next: Whether M3rx publishes proof of the stolen data or issues a ransom demand, and how Prime Properties responds to any extortion attempt.