Skip to main content

Ransomware victim disclosure

All victims

Morris Group International

Claimed by ORION · listed 2 months ago

0.5TB
Data size
59d
Age
since listed · data leaked

Status timeline

  1. ListedMay 17, 2026
  2. Data leakeddate unknown

At a glance

Group
ORION
Status
Data leaked
Listed on leak site
May 17, 2026
Data size
0.5TB

About the victim

AI dossier — public-source company profile

Morris Group International (MGI) is a family-owned US manufacturer headquartered in City of Industry, California, comprising 28 divisions and partnerships across 27 locations worldwide. The company designs, manufactures, and distributes engineered plumbing and drainage products, stainless steel fixtures, vacuum plumbing systems, drinking fountains, electric water heaters, and fire protection products, with over 2,000 employees and more than 2.5 million square feet of manufacturing, office, and warehouse space. Key subsidiaries include Acorn Engineering Company, Jay R. Smith Mfg. Co., AcornVac, Elmdor, and FirePro.

Industry
Engineered Plumbing, Drainage & Building Products Manufacturing
Address
City of Industry, CA (headquarters at Acorn Engineering Company facility)
Employees
2000
Founded
1954

Attack summary

Severity: high — 0.5 TB of confirmed exfiltrated and published data includes proprietary intellectual property (patents, chemical formulations, product designs), commercial contracts, and partner/client records, representing significant business and competitive harm across a 2,000+ employee multi-division manufacturer; no regulated PII at scale is explicitly stated, precluding critical.

The ORION ransomware group claims to have exfiltrated approximately 0.5 TB of data from Morris Group International and has published the data following unmet ransom conditions. The alleged stolen data includes partner and client records, commercial contracts, product sketches, chemical properties of products, and patent documentation.

high

Data the group says was taken

AI dossier — extracted from the leak post
  • Partner records
  • Client records
  • Commercial contracts
  • Product sketches/design drawings
  • Chemical properties of products
  • Patent documentation
  • Subsidiary company data (AcornVac, Elmdor, Murdok, FirePro, Smith)

What the group claims

Morris Group International includes 28 divisions and partnerships and 27 locations worldwide. Manufactures stainless steel toilets, engineered plumbing and drainage products, vacuum plumbing systems, drinking fountains, and electric water heaters. Has 2,000+ employees and over 2.5 million square feet of manufacturing, office, and warehouse space. Subsidiaries include AcornVac, ELMDOR, murdok, firepro, Smith.

The leak post

captured from the group's site
This link was hidden until the publication conditions were met
morrisgroupint.com Morris Group International includes 28 divisions and partnerships and 27 locations worldwide. From stainless steel toilets, engineered plumbing and drainage products, and vacuum plumbing systems to drinking fountains and electric water heaters, our products come out of our manufacturing facilities in North America ready to meet the needs of any construction or building project. Because we research, design, and manufacture our own products, customers have the benefit of going to one supplier to get the job done with choices that meet ADA requirements, environmental concerns, and the highest standards for safety and design. With over 75 patents and thousands of products, Morris Group International has 2,000+ employees and over 2.5 million square feet of manufacturing, office, and warehouse space. 0.5TB date sensitive. Partners, clients, commercial contracts, sketches, chemical properties of products, patents, etc. Also subsidiaries: AcornVac / ELMDOR / murdok / firepro/ Smith/ 
Stay informed about the latest data breaches and cybersecurity incidents affecting organizations worldwide.

Data the group says was taken

  • partner information
  • client information
  • commercial contracts
  • sketches
  • chemical properties of products
  • patents

Screenshot of the leak post

Leak screenshot for Morris Group International

Sources

Source

Indexed 2 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About ORION

Jan13, 2026: We believe the group might be related to Babuk-Bjorka. The group has been linked to 4 public disclosures across our corpus. First observed on a leak site on May 14, 2026; most recent post May 17, 2026. The operation is currently active.

Timeline of this disclosure

  • May 17, 2026Morris Group International listed by ORIONon the group's public leak site
Data size
0.5TB

Sector and geography

This disclosure adds to ransomware activity in the Manufacturing sector, which has 3,681 disclosures indexed across all operators we track. Geographically, Morris Group International is reported in United States, a country with 3,115 ransomware disclosures in our corpus.

If your organisation is affected

A listing by ORION means Morris Group International appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Report the incident to your national CERT, CISA (United States), as required for your jurisdiction.
  • Monitor for the data appearing on ORION's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.