Australian Toy Distributor KB Toys Hit by Emerging Ransomware Gang M3rx
An Australian toy distributor, KB Toys, has fallen victim to the newly identified ransomware group M3rx, which claimed responsibility for the attack on 6 May 2026. The hackers published a leak post alleging the theft of 36,840 files totaling 140GB, including invoices, sales data, and other sensitive documents some dated as recently as 2026. A text file listing the exfiltrated data was also released, though no ransom demand or deadline was disclosed.
KB Toys, based in Sydney, operates an extensive eBay store (Nicole’s Toys and Gifts) and offers warehouse tours at its Taren Point facility. The company has not responded to requests for comment.
M3rx, first observed on 29 April 2026, has rapidly expanded its victim list, with 15 organizations targeted to date, including Sydney-based building management firm Prime Properties. Limited intelligence on the group’s ransomware variant has been gathered by IBM X-Force Exchange, revealing technical details such as:
- A PE32+ x64 Go-based ransomware sample with an embedded configuration.
- Encrypted files appended with the extension .8hmlsewu.
- A ransom note titled RECOVERY_NOTES.TXT, demanding Bitcoin after negotiation.
- Use of X25519 key exchange, AES-CTR for file encryption, and AES-GCM for key wrapping.
- Post-encryption behaviors, including Recycle Bin clearing and self-deletion via PowerShell.
The attack highlights the growing threat posed by M3rx, a group still under investigation as its operational tactics evolve.
Source: https://www.cyberdaily.au/security/13574-exclusive-aussie-toy-distributor-listed-by-m3rx-ransomware
KB Toys cybersecurity rating report: https://www.rankiteo.com/company/kb-toys
Prime Property Management Corporate Inc. cybersecurity rating report: https://www.rankiteo.com/company/primepropertypm
"id": "KB-PRI1778473457",
"linkid": "kb-toys, primepropertypm",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail (Toys)',
'location': 'Sydney, Australia',
'name': 'KB Toys',
'type': 'Company'}],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '36,840 files',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Invoices',
'Sales data',
'Sensitive documents']},
'date_detected': '2026-05-06',
'date_publicly_disclosed': '2026-05-06',
'description': 'An Australian toy distributor, KB Toys, has fallen victim to '
'the newly identified ransomware group M3rx, which claimed '
'responsibility for the attack on 6 May 2026. The hackers '
'published a leak post alleging the theft of 36,840 files '
'totaling 140GB, including invoices, sales data, and other '
'sensitive documents some dated as recently as 2026. A text '
'file listing the exfiltrated data was also released, though '
'no ransom demand or deadline was disclosed.',
'impact': {'data_compromised': '36,840 files totaling 140GB'},
'investigation_status': 'Ongoing',
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'M3rx'},
'references': [{'source': 'IBM X-Force Exchange'}],
'threat_actor': 'M3rx',
'title': 'Australian Toy Distributor KB Toys Hit by Emerging Ransomware Gang '
'M3rx',
'type': 'Ransomware'}