ersa.com.py Data Breach

Alleged

Ransomware claim involving ersa.com.py.

Published: Jun 17, 2026
Threat Level
High
Confidence: High

Quick Summary

Company
ersa.com.py
Industry
Manufacturing
Date of Incident
Jun 17, 2026
Status
Alleged

Executive Summary

ersa.com.py, a manufacturing company based in Paraguay, has been listed as a victim on the Krybit ransomware group’s dark web portal. The listing was published on June 17, 2026, and identified through SOCRadar’s Dark Web Monitoring service. This adds a Latin American manufacturing target to Krybit’s victimology, which has otherwise been concentrated in Europe. Krybit has claimed 28 other victims in the 60 days prior to this listing, primarily targeting the business services, public sector, and technology sectors, with a strong geographical focus on Germany and Austria.

Technical Analysis

SOCRadar’s analysis of stealer-log telemetry revealed a severe exposure for the ersa.com.py domain, with ten records tied to corporate usernames. Most of these records were captured against Microsoft 365 identity and mail infrastructure, including the Microsoft Entra ID single-sign-on portal and a Microsoft 365 SMTP relay. The data indicates a long-lived exposure, spanning from late July 2025 through early June 2026, suggesting a heavily compromised endpoint or reused credentials. For ransomware groups like Krybit, such credentials harvested by infostealers are a common initial access vector. The combination of valid corporate logins to an Entra ID SSO portal and M365 mail infrastructure aligns with the early stages of the kill chain typically observed for this type of incident. The recommended response includes immediate credential rotation, enforced phishing-resistant MFA, and a forensic review of the implicated endpoint.

Is Your Organization Exposed on the Dark Web?

Enter your company domain to get a free dark web exposure report instantly.