Ransomware victim disclosure

EXCEED Energy

Claimed by anubis · listed 4 days ago

Age

since listed · data leaked

Status timeline

Listed
May 27, 2026
Data leaked

At a glance

Group: anubis
Status: Data leaked
Sector: Energy
Listed on leak site: May 27, 2026

About the victim

AI dossier — public-source company profile

EXCEED Energy is an independent well and reservoir management specialist focused on extending the productive life of wells and supporting the energy sector's transition to carbon zero. Operating across 41 countries, the company provides well management, decommissioning, and managed pressure drilling services to major oil and gas operators.

Industry: Well & Reservoir Management; Energy Services
Founded: 2004

Attack summary

Severity: high — Confirmed exfiltration of 300+ GB of sensitive client data in a regulated energy sector context, including operational and technical data belonging to major oil and gas operators. Breach of confidentiality obligations to third-party clients elevates exposure risk beyond the victim company itself.

Anubis ransomware group claims to have exfiltrated approximately 300+ GB of data, predominantly consisting of client confidential records rather than internal corporate documents. The breach includes technical data, audit results, equipment analysis, operational reports, and incident documentation belonging to EXCEED Energy's clients, representing a breach of confidentiality obligations.

high

Data the group says was taken

AI dossier — extracted from the leak post

client operational data
audit results
equipment analysis reports
operational reports
incident documentation
technical specifications
well management records

What the group claims

Data breach at an international well management specialist.

The leak post

captured from the group's site

is a leading independent well and reservoir management specialist focused on managing the productive life of wells while driving the transition to Carbon Zero. The company offers a wide range of services including well management, decommissioning, and managed pressure drilling, catering to clients in the energy sector across 41 countries.
In this breach, you will find very few of the typical internal corporate records such as HR files or accounting documents. Almost the entire 300+ GB archive is directly related to the company’s clients — and that is an important detail.
Because while the company itself is a major player in its sector, its clients are significantly bigger names.
For example, last year the company proudly announced that it had secured the[ largest contract in its 20-year history, taking on operational responsibilities for 192 wells](https://www.linkedin.com/posts/exceed-energy_energy-decommissioning-northsea-activity-7327973438638157824-UAyO). Now, thanks to the leaked data, we have an opportunity to learn far more about that deal directly from the source itself.
Much of the client-related data is highly technical in nature, making it difficult to immediately determ…

Sources

Leak posthttp://om6q4a6cyipxvt7ioudxt24cw4oqu4yodmqzl25mqd2hgllymrgu4aqd.onion/r/UT9Z05eUWYbSdyFftdy+3HGP+lJyfoYhfWsOknc0GQL2PRZY4XLTQcM93q7eyrCBoEcCuuTsCIizXZmdrQFxERKY2hpbjJt

Source

Indexed 4 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About anubis

Anubis is a recently emerged ransomware group that began operations in February 2025, primarily motivated by financial gain through encryption and extortion attacks. The group has demonstrated rapid expansion, accumulating 65 documented victims within a short operational timeframe. Given the group's recent emergence, limited information is publicly available regarding their specific country of origin, organizational structure, or confirmed affiliations with other cybercriminal entities, though their operational patterns suggest they may operate as an independent group or small-scale ransomware-as-a-service operation. Their attack methodology appears to focus on opportunistic targeting across multiple geographic regions, with victims concentrated primarily in the United States, Australia, Canada, the United Kingdom, and France, indicating either English-language proficiency or the use of automated tools that facilitate cross-border operations. The group demonstrates a clear preference for targeting healthcare organizations and manufacturing companies, followed by business services and technology sectors, suggesting they prioritize organizations with critical operational dependencies that may be more likely to pay ransoms quickly. Due to the group's recent emergence in early 2025, there is insufficient publicly documented information from established cybersecurity firms or law enforcement agencies regarding their specific technical capabilities, encryption methods, or whether they employ double or triple extortion tactics involving data theft and leak sites. As of current reporting, Anubis remains an active threat with continued victim acquisition, though the full scope of their capabilities and long-term operational sustainability remains to be determined as security researchers continue to analyze their activities. The group has been linked to 78 public disclosures across our corpus. First observed on a leak site on February 25, 2025; most recent post May 27, 2026. The operation is currently active.

Timeline of this disclosure

May 27, 2026EXCEED Energy listed by anubison the group's public leak site

Other recent disclosures by anubis

anubis has been linked to 78 public victims on Darkfield. A sample of the most recent: