Datasavior Ransomware Attack by m3rx (May 2026)

Claim Summary

On May 6, 2026, the ransomware group known as m3rx allegedly added Datasavior (datasavior.com) to their leak site. The group claims to have exfiltrated approximately 540MB of data, comprising 1,410 files, from the US-based technology company. Datasavior is described as a full-service systems integration firm headquartered in Austin, Texas, specializing in IT support, fiber cable installations, and managed services for medical and dental offices. According to the threat actor, the stolen data includes contact information (a phone number: +1 (512) 707-0026) and unspecified internal files. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

The group m3rx is a relatively obscure ransomware operation with limited public documentation. Based on available threat intelligence, m3rx appears to be a smaller or emerging group, as no confirmed victim count or established toolset has been widely reported. Their tactics, techniques, and procedures (TTPs) remain largely unknown, though they likely employ common initial access vectors such as phishing, remote desktop protocol (RDP) exploitation, or vulnerability scanning. Without YARA rules or detection guidance currently available for m3rx, organizations should monitor for unusual network activity, particularly file encryption events and data exfiltration attempts. The group’s credibility is difficult to assess due to the lack of a proven track record, but their claim against Datasavior should be treated with caution.

Alleged Data Exposure

The threat actor claims to have stolen 540MB of data, including 1,410 files. The only specific data point mentioned is a phone number (+1 (512) 707-0026), which may be a business contact line. Based on Datasavior’s profile as a systems integrator serving healthcare clients, the compromised data could potentially include:

• Internal IT documentation and network diagrams
• Client contracts and service agreements
• Backup configurations and antivirus software details
• Employee or client contact information
• Practice management system credentials or configurations

However, the exact nature of the stolen data has not been confirmed by Datasavior or independent sources.

Potential Impact

If the claim is verified, the impact on Datasavior could be significant. As a provider of IT support and data backup services for medical and dental offices, a data breach could expose sensitive client information, including patient-related data or practice management system access. This may lead to:

• Regulatory scrutiny under HIPAA or other healthcare data protection laws
• Loss of client trust and potential contract cancellations
• Operational disruption from ransomware encryption
• Reputational damage within the technology and healthcare sectors

The relatively small data volume (540MB) suggests the breach may be targeted rather than a full network compromise, but the healthcare focus amplifies the risk.

What to Watch For

• Monitor Datasavior’s official channels for a statement or incident response notice
• Watch for any leaked data samples on dark web forums that could confirm the claim
• Healthcare clients of Datasavior should review their own systems for signs of unauthorized access
• Security teams should check for m3rx-related indicators of compromise (IOCs) as they become available
• Be alert for phishing attempts leveraging Datasavior’s name or stolen contact information

Disclaimer

This intelligence report is based on unverified claims posted by the ransomware group m3rx on their leak site. Yazoul Security has not independently confirmed the attack, the data theft, or the accuracy of the group’s statements. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into paying ransoms. Organizations should treat this information as preliminary and conduct their own verification before taking action. No PII, download links, or access methods are provided in this report. For more information, visit Yazoul Security’s dark web monitoring section at /intel/.