Skip to main content

Ransomware victim disclosure

All victims

Costa Solutions, LLC

Claimed by Aurora · listed 3 months ago

2m
Age
since listed · data leaked

Status timeline

  1. ListedApr 29, 2026
  2. Data leakeddate unknown

At a glance

Group
Aurora
Status
Data leaked
Listed on leak site
Apr 29, 2026

About the victim

AI dossier — public-source company profile

Costa Solutions, LLC is a privately held managed-labor and warehousing company headquartered in San Antonio, Texas, operating across multiple Texas markets including Houston, Dallas-Ft. Worth, and Austin. The company provides 24/7 inbound/outbound unloading, warehouse support, and production support services to clients in food & grocery, retail, automotive, and other sectors. It reports approximately $140M in annual revenue and serves major clients including HEB, CVS, Sysco, Amazon, and McLane.

Industry
Managed Labor & Warehousing Services (Supply Chain)
Address
San Antonio, Texas, US
Employees
200-1000

Attack summary

Severity: critical — Confirmed exfiltration and publication of highly regulated data at scale: SSNs, bank account details, and medical/health records (HIPAA-adjacent) for 3,000–8,000+ individuals including employees, dependents, and contractors; plus privileged legal files, infrastructure credentials, and sensitive client/financial data representing multi-dimensional critical exposure.

The Aurora ransomware group claims to have exfiltrated the complete contents of Costa Solutions' file server, encompassing operational, financial, legal, and HR data including PII and regulated records for 3,000–8,000+ individuals; data has been published with no ransom stated.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • SSNs from W-2, W-4, 1099, and I-9 forms
  • Bank account and routing numbers (200+ direct deposit forms)
  • Employee medical and injury records (150+ files, 2013–2026)
  • FMLA medical certifications
  • Drug test results
  • Workers' compensation claims
  • Background check records
  • CEO's personal documents folder (5.3 GB)
  • P&L statements
  • Client contracts and SLAs (HEB, CVS, Sysco, Amazon, McLane, Labatt, Valvoline)
  • Competitor pricing intelligence
  • RFP bid documents with cost models
  • Active litigation and arbitration files
  • HR internal investigation notes
  • Attorney-client privileged correspondence
  • Multi-year corporate budgets
  • Valuation and M&A documents
  • PPP loan forgiveness records
  • Form 5500 ERISA filings
  • TLS certificate for HEB production server
  • VPN and Remote Desktop configuration files
  • 12 years of former employee records
  • Independent contractor and dependent PII
  • Job applicant records

What the group claims

[warehouse] Costa Solutions, LLC — a privately held managed-labor and warehousing company headquartered in San Antonio, Texas, with ~$140M annual revenue and 200–1,000 employees. The file server contained the complete operational, financial, legal, and human resources infrastructure of the company: 3,000–8,000+ individuals' personal data — current employees, former employees (12 years of records), independent contractors, employee dependents, and job applicants. SSNs on W-2s, W-4s, 1099s, I-9s, background checks. Bank account and routing numbers on 200+ direct deposit forms. Medical and injury records — 150+ employee injury/medical files from 2013–2026, FMLA medical certifications, drug test results (random, reasonable suspicion, post-incident, promotional), and workers' compensation claims for 23+ named individuals. CEO's entire file system — Josh Wean's Documents folder (5.3 GB) including P&L statements, a 17-subfolder "Confidential" directory, legal correspondence, strategic plans, a C-12 peer advisory group archive, and a $RECYCLE.BIN with 60+ deleted items. Client contracts and competitive intelligence — pricing, SLAs, and contract terms for HEB, CVS, Sysco, Amazon, McLane, Labatt, Valvoline. Competitor pricing intelligence. RFP bid documents with cost models. Active legal case files — litigation records (2021–2022), HR internal investigation notes (2018–2021), arbitration files, active investigations marked "DO NOT DELETE" — all subject to attorney-client privilege. Infrastructure secrets — an HEB production server TLS certificate, a Cisco AnyConnect VPN installer, and the CEO's Remote Desktop connection file. Corporate financials — multi-year budgets, valuation & sale documents (indicating possible M&A activity), PPP loan forgiveness records, Form 5500 ERISA filings, and annual reporting.

Sources

Source

Indexed 3 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About aurora

Aurora is a recently emerged ransomware group first observed in April 2026, operating with apparent financial motivations through targeted attacks across multiple sectors. Given its recent emergence, limited public documentation exists regarding the group's specific country of origin or affiliations with established ransomware operations, though its targeting patterns suggest a professional operation potentially operating as an independent entity rather than a known Ransomware-as-a-Service model. The group has demonstrated a preference for attacking business-critical sectors including business services, consumer services, manufacturing, healthcare, and financial services, with documented attacks spanning the United States, Canada, the Maldives, and Great Britain, though specific initial access vectors and technical methodologies remain undocumented by major threat intelligence firms. With only seven known victims documented since April 2026, Aurora represents a relatively small-scale operation compared to established ransomware families, though its cross-sector targeting approach and international victim scope indicate deliberate selection criteria rather than opportunistic attacks. The group remains active as of current reporting, though the limited victim count and recent emergence suggest either a highly selective targeting approach or a nascent operation still developing its operational capabilities. The group has been linked to 21 public disclosures across our corpus. First observed on a leak site on April 29, 2026; most recent post June 30, 2026. The operation is currently active.

Timeline of this disclosure

  • April 29, 2026Costa Solutions, LLC listed by auroraon the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Business Services sector, which has 3,796 disclosures indexed across all operators we track. Geographically, Costa Solutions, LLC is reported in United States, a country with 3,115 ransomware disclosures in our corpus.

If your organisation is affected

A listing by aurora means Costa Solutions, LLC appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Report the incident to your national CERT, CISA (United States), as required for your jurisdiction.
  • Monitor for the data appearing on aurora's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.