Skip to main content

Ransomware victim disclosure

All victims

Bayou Title, Inc.

Claimed by Aurora · listed 3 months ago

2m
Age
since listed · data leaked

Status timeline

  1. ListedApr 29, 2026
  2. Data leakeddate unknown

At a glance

Group
Aurora
Status
Data leaked
Listed on leak site
Apr 29, 2026

About the victim

AI dossier — public-source company profile

Bayou Title, Inc. is the largest title insurance agent and closing/settlement services provider in Louisiana, operating 19 full-service locations statewide. The company provides title abstracts, HUD-1 settlement services, escrow, and related real estate closing services across Louisiana. It has been in operation since at least 2004, accumulating over 20 years of transaction records.

Industry
Title Insurance & Real Estate Closing Services
Address
Gretna, Louisiana, US (headquarters inferred; 19 statewide Louisiana locations including Gretna, Alexandria, Baton Rouge, Bossier City, Lafayette, Lakeview, Lake Charles, Mandeville, Metairie, New Iberia)
Founded
2004

Attack summary

Severity: critical — The exfiltration includes 70,000–100,000+ SSNs paired with financial data, complete employee payroll records with bank account and routing numbers, decades of real estate closing files with identity documents, and plaintext government system credentials — representing large-scale regulated PII (financial and tax data) affecting both customers and employees across 20+ years of operations.

The Aurora ransomware group claims to have exfiltrated data spanning 20+ years of operations (2004–2026), including tens of thousands of Social Security numbers paired with financial records, complete employee payroll databases, 103 GB of title abstracts, 44 GB of closing file archives, plaintext government portal credentials, and attorney-client privileged documents. The disclosure status is listed as data_published, indicating the stolen data has been released.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • 70,000–100,000+ Social Security numbers with names and addresses
  • 1099-S real estate closing worksheets (2018–2020)
  • W-2 and 1099-MISC tax filings
  • Sage 50 EMPLOYEE.DAT payroll files (10+ instances)
  • Bank account and routing numbers for employees
  • Employee pay rates and tax withholding records
  • Direct deposit details
  • 103 GB of title abstract PDFs (~34,000+ documents)
  • 44 GB of GreenFolders DMS closing file archives (2012, 2013, 2019)
  • HUD-1 settlement statements
  • Identity verification documents and SSN cards
  • Plaintext government portal credentials
  • Attorney-client privileged documents (wills, engagement letters, legal opinions)

What the group claims

[insurance] Bayou Title, Inc. — the largest title insurance agent and closing/settlement services provider in Louisiana, with 19 full-service locations statewide. The exfiltrated data spans 20+ years of operations (2004–2026) and includes: 70,000–100,000+ Social Security numbers paired with names, addresses, and sale proceeds from 1099-S real-estate closing worksheets covering all 19 offices across three tax years (2018–2020), plus W-2 and 1099-MISC filings. Complete employee payroll databases — 10+ instances of Sage 50 EMPLOYEE.DAT files containing SSNs, bank account numbers, routing numbers, pay rates, tax withholding, and direct deposit details for current and former employees. 103 GB of title abstracts — ~34,000+ PDFs documenting ownership chains, liens, and mortgages for properties across Louisiana. 44 GB of GreenFolders DMS transaction packages (2012, 2013, 2019) — complete closing file archives containing HUD-1 settlement statements, identity verification documents, SSN cards, and tax records. Filenames contain encoded tags (ssn, hud, soc, tax). Plaintext credentials for government portals — a file literally named Lafayette Assessors lcmenard Password4321.url, plus a PDF containing Orleans Parish system login credentials. Attorney-client privileged documents — wills, attorney engagement letters, and legal opinions prepared by licensed Louisiana attorneys.

Sources

Source

Indexed 3 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About aurora

Aurora is a recently emerged ransomware group first observed in April 2026, operating with apparent financial motivations through targeted attacks across multiple sectors. Given its recent emergence, limited public documentation exists regarding the group's specific country of origin or affiliations with established ransomware operations, though its targeting patterns suggest a professional operation potentially operating as an independent entity rather than a known Ransomware-as-a-Service model. The group has demonstrated a preference for attacking business-critical sectors including business services, consumer services, manufacturing, healthcare, and financial services, with documented attacks spanning the United States, Canada, the Maldives, and Great Britain, though specific initial access vectors and technical methodologies remain undocumented by major threat intelligence firms. With only seven known victims documented since April 2026, Aurora represents a relatively small-scale operation compared to established ransomware families, though its cross-sector targeting approach and international victim scope indicate deliberate selection criteria rather than opportunistic attacks. The group remains active as of current reporting, though the limited victim count and recent emergence suggest either a highly selective targeting approach or a nascent operation still developing its operational capabilities. The group has been linked to 21 public disclosures across our corpus. First observed on a leak site on April 29, 2026; most recent post June 30, 2026. The operation is currently active.

Timeline of this disclosure

  • April 29, 2026Bayou Title, Inc. listed by auroraon the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Financial Services sector, which has 1,184 disclosures indexed across all operators we track. Geographically, Bayou Title, Inc. is reported in United States, a country with 3,115 ransomware disclosures in our corpus.

If your organisation is affected

A listing by aurora means Bayou Title, Inc. appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Report the incident to your national CERT, CISA (United States), as required for your jurisdiction.
  • Monitor for the data appearing on aurora's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.