DragonForce Ransomware Group Targets David E. Shambach Architect

David E. Shambach Architect, a prominent architecture firm based in Tucson, Arizona, has fallen victim to a ransomware attack orchestrated by the DragonForce group. The attackers claim to have exfiltrated 122.88 GB of sensitive data, threatening to release it publicly if their demands are not met within the next 3–4 days.

About David E. Shambach Architect

Established in 1993 and incorporated in 1994, David E. Shambach Architect, Inc. (DESA) is a well-regarded firm specializing in a diverse range of architectural projects. The firm’s portfolio includes residential designs like the Jewel Box House and Strawbale House, commercial spaces, and fire stations such as the Corona Fire Station and Rincon Fire Station. Additionally, the firm is noted for its work on historic renovations, including the Tombstone Historic City Hall.

David E. Shambach, the principal architect, holds a Bachelor of Architecture degree from the University of Arizona and is a registered architect in Arizona. His extensive experience includes managing client relationships, overseeing contract administration, and ensuring compliance with life safety and zoning codes. The firm employs between 11-50 people and is headquartered at 1202 E Broadway Blvd, Tucson, Arizona.

Vulnerabilities and Attack Overview

The attack on David E. Shambach Architect highlights the vulnerabilities that small to medium-sized firms face in the cybersecurity landscape. Despite their expertise in architecture, firms like DESA may lack the necessary cybersecurity measures needed to fend off sophisticated ransomware attacks. The firm's collaborative approach to design and extensive client interactions could have provided multiple entry points for the attackers.

DragonForce claims to have infiltrated the firm's systems and obtained a significant amount of sensitive data. The group has threatened to release this data publicly if their ransom demands are not met, putting the firm's confidential information and client data at significant risk.

About DragonForce Ransomware Group

DragonForce is a relatively new ransomware group that emerged in late 2023. They are known for their double extortion tactics, which involve encrypting victims' data and exfiltrating sensitive information, threatening to release it publicly if the ransom is not paid. The group has claimed attacks against various industries across the globe, including high-profile targets like the Ohio Lottery and Coca-Cola Singapore.

Researchers have found that DragonForce's ransomware code is based on a leaked builder from the infamous LockBit ransomware group, suggesting that DragonForce may have leveraged this code to quickly develop and deploy their own ransomware. There is also an educated assumption that DragonForce is linked to a Malaysian hacktivist group of the same name, although this connection remains unconfirmed.

Potential Penetration Methods

While the exact method of penetration in the David E. Shambach Architect attack is not publicly disclosed, it is likely that DragonForce exploited common vulnerabilities such as weak passwords, outdated software, or phishing attacks. The firm's extensive client interactions and collaborative approach could have provided multiple entry points for the attackers.

Sources

• David E. Shambach Architect
• WatchGuard - DragonForce
• Tripwire - DragonForce Ransomware
• SOCRadar - DragonForce Ransomware
• InfoSecurity Magazine - DragonForce Ransomware