DragonForce Ransomware Attack on John Gallin & Son

Overview of John Gallin & Son

John Gallin & Son is a prominent construction management and general contracting firm based in New York City. Founded in 1886 by Irish immigrant John Gallin, the company has remained under the stewardship of the Gallin family for four generations. Specializing in commercial interiors, the firm is known for its expertise in managing projects within Manhattan's high-rise buildings. The company employs approximately 53 people and reported an annual revenue of approximately $2.4 million in 2024.

Details of the Ransomware Attack

On July 25, 2024, John Gallin & Son fell victim to a ransomware attack orchestrated by the DragonForce group. The attack resulted in a significant data breach, with a leak size amounting to 783.94GB. The compromised data could potentially include sensitive corporate information, posing a substantial risk to the company's operations and client confidentiality.

About DragonForce Ransomware Group

DragonForce is a relatively new ransomware group that emerged in late 2023. They are known for using a double extortion tactic, encrypting victims' data and exfiltrating sensitive data, which they threaten to release publicly if the ransom is not paid. DragonForce has claimed attacks against various industries across the US, UK, Australia, Singapore, and other countries. Their ransomware code is based on a leaked builder from the infamous LockBit ransomware group, suggesting they leveraged this code to quickly develop and deploy their own ransomware.

Potential Vulnerabilities

John Gallin & Son's focus on high-profile commercial interior projects in Manhattan makes them a lucrative target for ransomware groups like DragonForce. The company's extensive involvement in planning, budgeting, and scheduling, along with their collaborative approach, means they handle a significant amount of sensitive data. This data, if compromised, could severely impact their operations and client trust. The attack highlights the importance of robust cybersecurity measures, especially for firms handling critical and sensitive information.

Penetration Methods

While the exact method of penetration in this attack is not publicly disclosed, DragonForce's use of the LockBit ransomware code suggests they may have exploited known vulnerabilities in the company's systems. Common methods include phishing attacks, exploiting unpatched software vulnerabilities, and leveraging weak or compromised credentials. The sophistication of DragonForce's tactics underscores the need for continuous monitoring and updating of cybersecurity defenses.

Sources

• John Gallin & Son Official Website
• WatchGuard - DragonForce Ransomware Tracker
• Tripwire - DragonForce Ransomware
• SOCRadar - DragonForce Ransomware Profile
• InfoSecurity Magazine - DragonForce Ransomware