Ransomware groups have sharply escalated targeted attacks on construction and AEC firms, exploiting weak remote access controls and operational dependencies to deliver double-extortion campaigns that disrupt projects and steal sensitive data. These sector-focused intrusions are increasingly coordinated, with mid-market and contractor-heavy firms facing heightened risk of operational, reputational, and supply-chain impacts.

CYBER INSIGHTS CYBER INSIGHTS OCT 08, 2025 OCT 08, 2025

Overview

Ransomware operators are increasingly targeting construction and architecture, engineering, and construction (AEC)-adjacent firms, exploiting the sector’s distributed workforce, project-driven supply chains, dependence on shared file servers, and cloud-based project management platforms. In the past couple of weeks, multiple ransomware crews have publicly claimed attacks against U.S. construction companies, including Akira’s compromise of Ludlow Construction and INC Ransom’s intrusion at Ouellet Construction. Around the same time, Medusa added Leprohon Inc. (commercial and residential construction) to its leak site, underscoring that mid-market firms remain squarely in scope. Attackers commonly gain initial access through phishing campaigns or by abusing exposed remote services, including RDP or misconfigured VPN portals. Established analyses of groups such as Akira show consistent use of credential reuse, VPN exploitation, and double-extortion tactics to maximize pressure on victims. The construction sector’s reliance on operational uptime, interconnected vendors, and digital collaboration tools makes it an attractive target for financially motivated ransomware actors. Recent activity shows a clear escalation in targeting, with multiple ransomware groups hitting firms within the construction sector in quick succession, heightening the risk of supply-chain disruption and downstream impact. Together, these developments elevate near-term risk for construction companies with limited IT teams, job-site connectivity constraints, and high dependency on timely document exchange.

Key Findings:

  • Multiple ransomware groups, including Akira, INC Ransom, and Medusa, have recently escalated coordinated targeting of construction and AEC-sector firms across North America and Europe.
  • Threat actors are exploiting basic access vectors such as phishing, exposed VPNs, and credential reuse to infiltrate environments and deploy double-extortion ransomware.
  • The attacks show a clear shift from opportunistic to sector-specific targeting, with mid-sized firms and contractors representing high-value, low-defense opportunities.
  • Compromised data frequently includes project documentation, HR and financial records, and client contracts, increasing risk of reputational damage, regulatory exposure, and downstream supply-chain compromise.
  • Immediate Actions: Conduct a rapid audit of all remote access points, including VPN, RDP, and cloud collaboration platforms, to identify unauthorized logins or configuration weaknesses. Review privileged accounts for misuse, disable inactive credentials, and verify that all critical backups are isolated, immutable, and recoverable. Implement strict access segmentation, enforce credential hygiene, and monitor for tools and behaviors associated with ransomware operators, including PsExec, AnyDesk, MegaSync, and abnormal data exfiltration activity.

1.0 Threat Overview

The recent surge in ransomware attacks reflects a deliberate, sector-focused campaign against construction and AEC firms rather than isolated opportunistic incidents. Threat actors are exploiting the industry’s interconnected ecosystem of contractors, vendors, and cloud-based collaboration tools to maximize operational disruption and extortion leverage. For firms operating under tight contractual deadlines, even brief system outages can trigger severe financial and legal repercussions. Stolen project blueprints, bid documents, and HR data also create lasting exposure risks, including competitive disadvantage and compliance violations. Organizations should remain alert for early indicators of compromise, including unexpected authentication attempts from foreign IP addresses, unauthorized VPN logins, disabled endpoint protection, or sudden changes to shared file directories. Unusual outbound data transfers, newly created administrative accounts, and the presence of suspicious tools like AnyDesk, PsExec, or MegaSync may also signal active intrusion. The growing frequency and precision of these attacks indicate that ransomware actors now view the construction sector as a sustained, high-yield target rather than a peripheral opportunity.

Several ransomware groups—INC Ransom, Akira, Qilin, DragonForce, Medusa—demonstrate increasing sophistication and focus on the construction and adjacent industries, exploiting their operational urgency and traditionally lax cybersecurity postures. Common threat tactics include double extortion (encrypting and leaking), comprehensive victim profiling for leverage, and targeting both business and supply chain partners. Future incidents can be expected to feature more elaborate reconnaissance, multi-stage attacks leveraging exfiltrated PII and business data, and sector-specific blackmail strategies. Organizations should anticipate persistent targeting, lateral spread using exposed PII, and supply chain ripple effects if mitigation and strategic cyber defense investments are not prioritized.

1.1 Threat Commonalities

Ransomware crews hitting the construction and AEC sector share clear operational commonalities: they prefer low-effort, high-impact initial access vectors (phishing and stolen credentials), and they frequently exploit exposed remote access services (RDP, misconfigured VPNs, and internet-facing management portals). Once inside, operators follow a consistent playbook, focused on rapid internal discovery using legitimate tools, targeted data collection from shared file servers and project repositories, staged exfiltration to cloud file-sync services, then selective encryption and public data leakage to maximize leverage. This repeatable sequence explains why mid-market construction firms with many contractors, shared cloud drives, and limited segmentation, are repeatedly attractive targets.

2.0 Threat Actor Breakdowns

Ransomware Threat Actor Profiles
Akira
March 2023
Model
Ransomware-as-a-Service (RaaS)
Malware
Akira encryptor (Windows/Linux/Hypervisor)
Primary Targets
Mid-market businesses across manufacturing, construction, technology, and services sectors.
Common Tactics
Stolen credentials, VPN/SSL appliance exploitation (especially SonicWall), double extortion operations.
Background
Emerged from Conti-style frameworks, adopting double extortion and affiliate scaling. Uses retro "green screen" CLI leak interface and refuses to run on devices with Russian keyboard layouts. Affiliates exploit legitimate tooling like Advanced IP Scanner for internal discovery.
Recent Activities (2025)
Arctic Wolf documented mid-2025 surge targeting SonicWall SSL VPN devices, including CVE-2024-40766 exploitation. Q3-Q4 2025 saw multiple U.S. construction and manufacturing victims. Dwell times tightened significantly - intrusions now move from access to encryption in under four hours.
Notable 2025 Victims
Ludlow Construction and multiple U.S. construction and manufacturing firms
RaaS Double Extortion SonicWall Exploitation CVE-2024-40766 Construction Manufacturing
DragonForce
Early 2025
Model
RaaS (Former RansomHub Affiliates)
Malware
DragonForce encryptor (Windows/Linux)
Primary Targets
Construction, manufacturing, logistics, and project-based commercial sectors.
Common Tactics
Credential harvesting, phishing, remote access exploitation, pre-encryption reconnaissance targeting financial and HR systems.
Background
Believed to have originated from former RansomHub affiliates after disruption. Operates as financially motivated RaaS collective, prioritizing firms where operational downtime translates into immediate financial pressure. Second-generation extortion group incorporating data theft, infrastructure targeting, and selective encryption to avoid detection.
Recent Activities (2025)
Claimed responsibility for attacks on Clemens Construction (US) and several European manufacturing entities. Data samples indicate targeted reconnaissance and exfiltration of financial, HR, and client documentation before ransom issuance. Leak site cadence suggests ongoing affiliate recruitment through late Q3 2025.
Notable 2025 Victims
Clemens Construction (US), multiple European manufacturing firms
RaaS Credential Harvesting Phishing Construction Manufacturing Logistics
INC Ransom
Mid-2023
Model
Structured Extortion Operation
Malware
INC ransomware (Windows/Linux)
Primary Targets
Municipalities, healthcare, education, SMBs, and construction firms.
Common Tactics
Phishing, public-facing app exploits (Citrix NetScaler CVE-2023-3519), credential theft, RDP usage, double extortion.
Background
Also known as Gold Ionic. Structured extortion group offering ransomware and leak site access to affiliates. Campaigns combine exfiltration and encryption phases. Employs tools like 7-Zip, AnyDesk, PsExec, and MegaSync for staging and exfiltration, with process-kill logic to disable defenses.
Recent Activities (2025)
Announced breach of Ouellet Construction and surfaced listings for City of Gardendale, Alabama. Claimed involvement in Panama Ministry of Economy & Finance incident, posting internal documents. Leak site cadence and victim breadth increased through Q3 2025, showing sustained operational capacity.
Notable 2025 Victims
Ouellet Construction, City of Gardendale (Alabama), Panama Ministry of Economy & Finance
Gold Ionic CVE-2023-3519 Double Extortion Municipalities Healthcare Construction
Lynx (INC Ransom Successor)
Mid-2024
Model
INC Ransom Rebrand/Successor
Malware
Lynx encryptor (Windows)
Primary Targets
Utilities, retail, infrastructure, industrial sectors including construction.
Common Tactics
Phishing, credential reuse, ransomware with data exfiltration, affiliates reuse existing INC tooling.
Background
Widely believed to be successor or rebrand of INC Ransom. Reuses parts of INC Ransom's ecosystem including code and affiliate infrastructure. Model emphasizes flexibility and rebranding - when pressure increases on INC, affiliates and tooling shift under new banner. Continues double extortion paradigm.
Recent Activities (2025)
Claimed multiple victims in 2025 and ramped up affiliate recruitment. Named among more active RaaS platforms targeting MSPs and mid-market firms. Rebranding and stealth operations make attribution murky, but overlapping tactics and leak site behavior tie closely to INC lineage.
RaaS INC Rebrand Double Extortion MSPs Infrastructure Utilities
Medusa
Early-Mid 2020s
Model
Multi-Extortion RaaS
Malware
Medusa encryptor with leak toolkit
Primary Targets
SMBs, local governments, healthcare, and commercial firms.
Common Tactics
RDP/VPN access, vulnerability exploitation, exfiltration followed by extortion.
Background
Known for structured leak sites and public pressure mechanisms. Provides victims with choices at leak site (extensions, deletions, downloads) and utilizes Telegram and public channels to amplify pressure. Data-centric operational approach: exfiltrate first, encrypt later, leverage reputational damage.
Recent Activities (2025)
Continued listing new victims across sectors in 2025, including Leprohon Inc. (construction-adjacent). Tactics escalated with destruction of recovery artifacts (shadow copies) and more aggressive leak timelines. CISA issued StopRansomware advisory in March 2025, emphasizing growing threat posture.
Notable 2025 Victims
Leprohon Inc., multiple SMBs and local government entities
RaaS RDP/VPN Exploit Shadow Copy Deletion SMBs Government Healthcare
Qilin
Late 2022
Model
Dominant RaaS Platform
Malware
Qilin encryptor (Rust-based)
Primary Targets
Manufacturing, construction, healthcare, government, and professional services.
Common Tactics
RDP compromise, phishing, unpatched software exploitation, automated lateral movement, DDoS/public extortion campaigns.
Background
Rapidly expanded in 2024-2025 following affiliate migration from RansomHub. Distinguished by automation, affiliate incentives, and built-in DDoS extortion features. Operational platform offers data-hosting, negotiation dashboards, and integrated journalism tools to publish breach narratives. Focus on medium and large enterprises reflects maturing financial model.
Recent Activities (2025)
Maintained top-tier ransomware volume throughout 2025, including confirmed breach of McGeorge Architecture Interiors and multiple manufacturing and healthcare victims. Affiliates demonstrated increasing speed and coordination, with intrusions progressing from compromise to public exposure within 48 hours. Infrastructure shows overlap with previous RansomHub command structures.
Notable 2025 Victims
McGeorge Architecture Interiors, multiple manufacturing and healthcare organizations
RaaS Rust-based DDoS Extortion Automated Lateral Movement Manufacturing Healthcare Construction

3.0 Historical Threat Overview

Construction Sector Ransomware Incidents
Clemens Construction
August 2025
Threat Actor
DragonForce
DragonForce breached Clemens Construction (Philadelphia), exfiltrating financial, HR, client, and audit documentation before threatening public exposure unless a ransom is paid.
Data Compromised
Financial records, HR documentation, client files, audit documentation, banking information, insurance records, client contracts
Threat Impact
High-value commercial construction firm targeted for operational disruption leverage. Stolen data variety enables financial fraud and downstream partner compromise. Regulatory scrutiny likely due to data exposure.
Strategic Assessment
Attack demonstrates DragonForce focus on time-sensitive, project-based organizations where operational disruptions create immediate financial pressure.
Financial Records Client Contracts Double Extortion Philadelphia, PA
Humax Holdings (KR)
September 2025
Threat Actor
INC Ransom
INC Ransom attacked Humax Holdings, a South Korean firm, accessing fiscal data, internal emails, full employee records, and strategic development plans.
Data Compromised
Fiscal data, internal email communications, complete employee records, strategic development plans
Threat Impact
Multifaceted threat enabling financial fraud, insider threats, and third-party spear-phishing campaigns. Strategic materials theft may support industrial espionage, impacting organizational competitiveness.
Espionage Concerns
Strategic development plan exfiltration suggests potential industrial espionage component beyond standard ransomware monetization.
Strategic Plans Employee Records Industrial Espionage South Korea
McGeorge Architecture Interiors
October 2025
Threat Actor
Qilin Ransomware
Qilin ransomware group recently claimed McGeorge Architecture Interiors, indicating successful breach and likely exfiltration of sensitive project files and client data.
Data Compromised
Sensitive project files, client data, architectural designs, proprietary specifications
Threat Impact
Heightened ransomware threat to mid-sized design and architecture firms. Reputational impact may lead to client attrition and operational downtime. Secondary risks include data commodification in illicit markets.
Sector Trend
Qilin's evolving targeting of architectural firms highlights perceived cybersecurity gaps in creative industries.
Project Files Client Data Encryption + Extortion Architecture Sector
Morrisroe Ltd (UK)
September 2025
Threat Actor
Unknown / Unattributed
Morrisroe Ltd, a UK contractor, confirmed breach affecting employee financial, payroll, and banking data. Attacker remains unidentified.
Data Compromised
Employee financial information, payroll data, banking details
Threat Impact
Immediate threat of identity theft and banking fraud against staff. Prolonged data misuse likely until forensic analysis clarifies breach extent. Proactive employee warnings indicate concern over credential-based threat propagation.
Payroll Data Banking Details Identity Theft United Kingdom
Leprohon Inc.
October 2025
Threat Actor
Medusa Ransomware
Medusa group listed Leprohon, a Canadian construction company, as ransomware victim, likely compromising operational and financial data. Detailed reconnaissance evident from exposed victim specifics.
Data Compromised
Operational data, financial records, company revenue details, organizational size information
Threat Impact
Financial loss risk, supply chain disruption potential, severe reputational harm. Attackers expected to leak data for maximum pressure if demands unmet. Company size suggests potential underinvestment in cybersecurity.
Public Shaming Tactic
Medusa's exposure of industry, revenue, and size demonstrates detailed reconnaissance and intent to shame for leverage.
Financial Records Public Exposure Supply Chain Risk Canada
Ludlow Construction
October 2025
Threat Actor
Akira Ransomware
Ludlow Construction suffered major breach by Akira, resulting in exfiltration of approximately 205GB of sensitive data, including PII, financial records, contracts, and detailed project specifications.
Data Compromised
Personal identifiable information (PII), financial records, contractual documents, detailed project specifications, competitive project information
205 GB Exfiltrated
Threat Impact
Elevated risks of identity theft, fraud, and regulatory consequences for privacy violations. Compromised competitive project information could destabilize current and future operations. Scale reveals Akira's interest in data monetization and reputational damage.
Massive Data Breach
205GB exfiltration scale demonstrates Akira's focus on comprehensive data theft for both ransom and secondary monetization opportunities.
205GB Data PII Project Specs Data Monetization Double Extortion
Ouellet Construction
October 2025
Threat Actor
INC Ransom
INC Ransom targeted Ouellet Construction, a New England commercial builder, with detailed victim profiling on dark web. Double-extortion tactics employed with encryption and leak threats.
Data Compromised
Employee records, internal communications, financial documents, company revenue details, employee count information
Threat Impact
Data exposure enables follow-on social engineering campaigns against employees and partners. Secondary attack risk against clients and supply chain entities. Non-payment likely results in full data release, amplifying operational, legal, and reputational risks.
Targeted Reconnaissance
Dark web posting specificity suggests extensive pre-breach reconnaissance and high likelihood of full data release upon non-payment.
Employee Records Internal Comms Double Extortion Social Engineering New England

3.1 Industry Impact

Collectively, these incidents reveal a clear pattern of exploitation across the construction and architecture, engineering, and construction (AEC) sector. Each attack leveraged familiar access points—phishing, credential theft, and exposed remote services—demonstrating how common weaknesses are being systematically weaponized against firms with distributed operations and limited segmentation. The shared tactics of data exfiltration before encryption, followed by double-extortion and public leak threats, underline a coordinated shift toward maximizing reputational and operational pressure. These breaches matter because they expose how project-driven industries remain highly vulnerable to disruption, data theft, and downstream supply-chain compromise. Moving forward, organizations should monitor for early indicators of intrusion, such as unauthorized VPN or RDP connections, sudden privilege escalations, the appearance of remote administration tools like AnyDesk or PsExec, and large outbound data transfers to unfamiliar domains. The recurrence of these methods across multiple actors signals a persistent, industry-specific threat pattern that will likely continue unless proactive segmentation, credential hardening, and vendor access controls are enforced sector-wide.

4.0 Recommendations for Mitigation

  • Access Control and Network Segmentation: Apply strict least-privilege principles with just-in-time account provisioning and time-bound access for contractors; segment networks by department, project, or job site to prevent ransomware lateral movement and limit the blast radius of any intrusion.
  • Backup and Recovery Posture: Establish immutable, air-gapped backups stored off-network and perform quarterly restoration drills to ensure operational continuity; maintain isolated recovery environments where systems can be rebuilt and validated without risk of re-infection before being reintroduced to production.
  • Data Governance and Insider Risk: Enforce data loss prevention policies integrated with behavioral analytics to flag unusual file transfers, project data exfiltration, or credential use anomalies from remote devices, particularly focusing on design repositories, client databases, and shared cloud environments.
  • Remote Access Security: Replace legacy VPNs with Zero Trust Network Access (ZTNA) solutions that require continuous device posture verification, adaptive risk scoring, and session-based encryption for every login, ensuring that only compliant and authenticated devices gain access to internal assets.
  • Vendor and Supply Chain Assurance: Implement continuous monitoring and periodic audits of subcontractors and supply-chain partners for credential leaks, outdated software, and insecure remote access points; require attestations of security practices and incident response readiness from all third parties.

5.0 Hunter Insights

Ransomware activity targeting construction and AEC-adjacent firms has surged significantly, with groups such as Akira, INC Ransom, and Medusa using repeatable tactics that exploit the sector’s operational dependencies, as well as executing coordinated attacks that leverage these vulnerabilities. These attackers leverage common vulnerabilities, such as phishing, exposed RDP and VPN services, and credential reuse, to gain initial access. They then employ double-extortion tactics involving data exfiltration and encryption to maximize pressure on victims. Attack vectors frequently involve exploiting the sector's distributed workforce and cloud collaboration tools, which, combined with tight operational schedules and interconnected supply chains, make construction firms particularly lucrative and vulnerable targets. Mid-market firms, in particular, are preferred due to their high value combined with typically weaker defense postures. Compromised data often includes sensitive project plans, financial and HR records, and client contracts, posing downstream risks for reputational damage, regulatory exposure, and supply chain disruption.

Key ransomware actors remain active, employing specialized tactics that target the construction sector. INC Ransom utilizes sophisticated exfiltration tools and public leak sites to pressure firms, such as Ouellet Construction, while Akira's rapid intrusion-to-encryption modus operandi has resulted in large-scale data compromises for Ludlow Construction. Medusa's structured leak sites amplify reputational harm by allowing victim data downloads and deletions, as seen in their attack on Leprohon Inc. Other groups, such as DragonForce and Lynx, emphasize persistent attacks that exploit VPNs and remote access misconfigurations to infiltrate firms, threatening project delays and financial fraud through the exfiltration of critical documents. These coordinated campaigns underscore targeted efforts rather than opportunistic breaches, illustrating a strategic offensive focusing on operational disruption within the construction industry's evolving digital landscape.

Predictively, the construction and AEC sectors should prepare for continued escalation in ransomware assaults characterized by rapid lateral movement, multi-vector access campaigns, and long-term data exploitation strategies. Attackers are expected to deepen their targeting of cloud and file-sharing infrastructures, exploiting insecure remote protocols and supply chain interdependencies to maximize impact. Firms with limited IT staffing, outdated access controls, and inadequate segmentation are at heightened risk of severe operational and financial consequences. Preventive measures should include implementing zero-trust access frameworks, rigorous backup and recovery protocols, comprehensive vendor security assessments, and behavioral analytics for data governance and protection. Failure to adopt such defenses will likely lead to increased incident frequency, amplified extortion attempts, and sector-wide disruptions affecting project continuity and market reputation. The expansion of risk vectors to architecture, vendor, and subcontractor environments signals a broadening of threat surface areas, demanding coordinated cybersecurity strategies.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.