Texas industrial giant under pressure, with hackers claiming to have stolen entire corporate database
A Texas-based industrial heavyweight receives "final notice" before sensitive is exposed.

A Texas-based industrial heavyweight has been targeted by a ransomware gang, which issued a "final notice" before sensitive corporate and employee data is exposed.
- Chaos ransomware gang claims to have breached Universal Plant Services, a $615 million Texas-based industrial services company.
- Stolen data allegedly includes employee SSNs, payroll records, health files, tax filings, and confidential engineering documents.
- The gang issued a "final notice" threatening to leak the data publicly if the company refuses to pay ransom.
- Chaos operates a ransomware-as-a-service model, historically targeting schools, small businesses, and local governments with weaker security.
The industrial services company Universal Plant Services (UPS) was listed on the Chaos ransomware site on the dark net.
The company, headquartered in Texas, is North America's leading specialist in rotating and reciprocating equipment services, serving approximately 700 customer facilities nationwide. The company boasts $615 million in annual revenue.
The attackers claim that they have stolen a wide range of the company’s data, including:
- Full audits
- Tax filings (ADP)
- Payroll
- Bank transactions
- Cash management reports
- Employee SSNs, home addresses, and dates of birth
- Confidential employee health records
- Detailed subcontracts
- NDA agreements
- Customer files
- Licensing documentation
- Internal machinery reports
- Proprietary procurement data (Ethos Energy, Energy Services)
- Quality control (QAQC) protocols
- Project proposals
The gang is threatening the company with the “final notice.” This is a common tactic among ransomware gangs: blackmailing victims with the threat of releasing their data to force them to pay the ransom.
While the legitimacy of the claims cannot be confirmed at the moment, if they prove to be legitimate, they may have severe consequences for the company and its employees.
“There is a risk of identity theft and various types of fraud for the employees since SSNs are mentioned. Because of this, the company could face some regulatory scrutiny as well,” Cybernews researchers explained.
“This dataset could reveal a company’s financial strategies and operational details, which could result in client loss, loss of competitive advantage, and generally a bigger attack surface.”
We reached out to UPS for comment and will update the article once we receive a response.
What is known about Chaos ransomware?
Chaos ransomware first appeared in mid-2021. Their business model is based on ransomware-as-a-service (RaaS).
The gang’s ransomware builder makes it trivially easy for entry-level threat actors to generate custom ransomware campaigns without coding or infrastructure.
Chaos builder variants are known to have predominantly targeted schools, small businesses, local governments, and individual users. These types of organizations have weaker security postures and are easier targets.
For example, in 2025, the gang targeted the charity organization Salvation Army.
Malware distribution methods used by the gang include phishing attacks, malicious downloads, and pirated software.
Chaos ransomware is often used for dual purposes – both ransomware and a wiper, making it particularly appealing for politically motivated or destructive cyber campaigns.
Since Russia’s war in Ukraine kicked off, Chaos-based malware has been used to wipe Ukrainian systems and cause extensive damage.