Skip to main content
Darkfield

Ransomware victim disclosure

All victims

Startec Group of Companies

Claimed by AUR0RA · listed 11 days ago

665 MB (litigation files alone)
Data size
600+ current and former employees, 18+ passport scans, 11 Outlook PST mailboxes records
$140
Ransom
demanded
11d
Age
since listed · data leaked

Status timeline

  1. ListedJun 6, 2026
  2. Data leakeddate unknown

At a glance

Group
AUR0RA
Status
Data leaked
Country
Canada
Sector
Oil & Gas / Industrial Manufacturing
Listed on leak site
Jun 6, 2026
Data size
665 MB (litigation files alone)
Records
600+ current and former employees, 18+ passport scans, 11 Outlook PST mailboxes
Ransom demanded
$140

About the victim

AI dossier — public-source company profile

Startec Group of Companies is a privately held Calgary-based industrial original equipment manufacturer founded in 1976. The company designs, fabricates, installs, and services compression, process, and refrigeration systems for oil-and-gas operators and the energy-transition sector (RNG, hydrogen, CO₂ sequestration, flare-gas capture), employing approximately 270 people with ~80% of output exported to US customers including major operators like Pembina, ARC Resources, Shell, and Cenovus.

Industry
Industrial OEM – Compression, Process & Refrigeration Systems for Oil & Gas
Address
Calgary, Canada
Employees
270
Founded
1976

Attack summary

Severity: critical — Confirmed exfiltration of massive scale regulated PII (SINs for 600+ employees, passport data, banking/EFT records), infrastructure encryption keys enabling further compromise, customer proprietary engineering data, privileged attorney-client litigation files, cyber-insurance documentation, and 25-year financial history. Data involves Canadian and US critical energy infrastructure operators.

AUR0RA claims to have exfiltrated the entire corporate knowledge base spanning 25+ years of operations, including payroll records, employee identity documents (passports, SINs), infrastructure encryption keys, customer engineering libraries, insurance documentation, and privileged litigation files related to Shell disputes. The group states data was published and demands ransom.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • 25 years of payroll records (2001–2026)
  • SIN verification register (~600+ employees)
  • Passport scans (18+ named individuals, ~20+ Pakistan applicants)
  • TLS private keys (wildcard *.startec.ca 2022–2027, suspected AD CA key)
  • Cyber-insurance policy (Zurich BZA2151)
  • Customer engineering libraries (Pembina, ARC, SemCAMS, Cenovus, Shell)
  • Process specifications, as-built drawings, sizing calculations
  • Shell litigation files (665 MB privileged counsel correspondence)
  • Board packs (12 fiscal years, in-camera sessions)
  • Financial statements and valuation documents

What the group claims

A privately held Calgary-based industrial OEM founded in 1976. Startec designs, fabricates, installs, and services compression, process, and refrigeration systems for oil-and-gas operators and the energy-transition sector. Employs approximately 270 people.

The leak post

captured from the group's site
[ NorthWest Handling Systems — a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988. 337,000+ files spanning every branch, every department, every era of the company. It includes: Plaintext credit card numbers in an Excel spreadsheet literally titled “C.O.D. info (CREDIT CARD INFO).xlsx” — stored at the root of the file server, unencrypted, for years. Social Security numbers and Taxpayer IDs on W-9 forms and certified payroll documents for government-contract work (USPS, Oregon DHS, public schools). 3+ years of plaintext passwords for Target Corporation’s vendor portal (TARS), stored in Word documents titled “TARGET PASSWORD & SECURITY QUESTIONS.” Each password rotation was saved as a new file. Home Depot Maximo DC billing credentials — plaintext, in a Word document, enabling fraudulent invoicing against a Fortune 50 company. Albertsons/Safeway Corrigo facility-management portal credentials — again, plaintext in a .docx file. 33 GB of customer warehouse CAD files — facility layouts, equipment placement, security-zone dimensions, and fire-protect…

Data the group says was taken

  • payroll records
  • SIN verification data
  • ADP exports
  • T4/ROE/T2200 forms
  • banking/EFT direct-deposit data
  • passport scans
  • TLS private keys
  • Active Directory CA private key
  • cyber-insurance policy
  • customer engineering libraries
  • process specifications
  • as-built drawings
  • privileged litigation files
  • board packs
  • valuation reports
  • family-trust T3 returns
  • succession-planning documents
  • QuickBooks files
  • Outlook PST mailboxes
  • physical security access codes
  • CCTV passwords

Screenshot of the leak post

Leak screenshot for Startec Group of Companies

Sources

Source

Indexed 11 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About AUR0RA

AUR0RA is a ransomware group first observed in June 2026 with an apparent financial motivation, having claimed responsibility for attacks against at least five known victims across the United States, Canada, and Australia. Given the recency of the group's emergence and the limited number of confirmed victims, detailed public attribution from major threat intelligence organizations such as CISA, the FBI, or Mandiant has not yet been established, and as such claims regarding origin, affiliation, or operational infrastructure cannot be responsibly made at this time. The group's targeting pattern suggests a deliberate focus on mid-market industries including commercial interiors, real estate and title insurance, warehousing and material handling, manufacturing, and oil and gas and industrial manufacturing sectors, which may indicate an opportunistic selection strategy or a preference for organizations with potentially sensitive operational or financial data and limited cybersecurity maturity. No specific attack methodology, tooling, or extortion tactics have been publicly documented by reputable sources for this group as of the time of this writing, though the sector targeting profile is consistent with groups known to conduct double extortion operations. AUR0RA should be considered an emerging threat actor under active monitoring, with its current operational status assessed as active based on the recency of first observed activity and the absence of any publicly reported law enforcement disruption or disbandment. The group has been linked to 6 public disclosures across our corpus. First observed on a leak site on June 6, 2026; most recent post June 15, 2026. The operation is currently active.

Timeline of this disclosure

  • June 6, 2026Startec Group of Companies listed by AUR0RAon the group's public leak site
Data size
665 MB (litigation files alone)
Records
600+ current and former employees, 18+ passport scans, 11 Outlook PST mailboxes
Ransom demanded
$140

Other recent disclosures by AUR0RA

AUR0RA has been linked to 6 public victims on Darkfield. A sample of the most recent:

See the full AUR0RA dossier →

Sector and geography

This disclosure adds to ransomware activity in the Oil & Gas / Industrial Manufacturing sector. Geographically, Startec Group of Companies is reported in Canada, a country with 313 ransomware disclosures in our corpus.

If your organisation is affected

A listing by AUR0RA means Startec Group of Companies appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Report the incident to your national CERT, CCCS (Canada), as required for your jurisdiction.
  • Monitor for the data appearing on AUR0RA's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.