The CYFIRMA Industries Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the real estate & utilities industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the real estate & utilities industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the real estate & utilities industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates is 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
Real estate & utilities organizations featured in 1 out of the 9 observed campaigns, which is a presence in 11.1% of campaigns.
Single observed campaign occurred in March and it targeted an Electric Utility organization.
We observed mixed attribution signals in the single observed campaign. Observed TTPs suggest APT41 nexus (tracked as MISSION225) but also commodity malware used by Lazarus Groups as well as use of Korean Language.
Recorded victims of observed attack campaign span 6 different countries across continents.
Web Applications and Operating System were both targeted in this campaign.
Risk Level Indicator: Medium
In the past 90 days, we observed only a single campaign in March with a victim in the Real Estate & Utilities Industry, specifically an Electric Utilities company. This represents a decrease from 2 incidents and a drop from 22% to 11% in presence recorded in the previous period.
We observed mixed TTPs in the single observed campaign. While some of the malware used like Winnti is known to be part of APT41 nexus (tracked as MISSION2025), commodity malware such as RedLine Stealer, Azorlut and Flystudio were observed together with the use of Korean language. Most likely this campaign is a product of North Korean hackers hired by Chinese threat actors.
The targeted countries are Singapore, Norway, the United States, Japan, the United Kingdom, Australia, Switzerland, and Germany. This is a large spread across continents, implying this campaign is cybercrime-focused rather than nation-state activity.
Over the past 3 months, CYFIRMA’s telemetry did not record any phishing campaigns out of a total of 324,694 that impersonated the real estate & utilities industry organizations.
We have observed a handful of campaigns against energy utilities; however, these are covered in the dedicated Energy industry report.
Risk Level Indicator: Low
CYFIRMA telemetry did not find any real estate and utilities impersonations. However, that does not mean they do not exist. They are certainly used in some areas and as spear-phishing where suitable.
The highly localized nature of the real estate and utility industry simply does not present a good lure for widespread “spray and pray” types of campaigns.Furthermore, monetization for local cybercrime is more complex than more popular scams such as courier & delivery.
In the past 90 days, CYFIRMA has identified 92 verified ransomware victims within the real estate & utilities industry sectors. This accounts for 7.6% of the overall total of 1,212 ransomware incidents during the same period.
The monthly activity chart shows a downward trend even when adjusted for partial months.
A breakdown of the monthly activity provides insights into which gangs were active each month. For example, LockBit3 and ALPHV were very active in February. We can also see a sharp decline in victims by LockBit3 after law enforcement action in February and the main beneficiary BlackBasta picking up numbers in March and April.
In total 28 out of 51 active groups recorded real estate & utilities organization victims in the past 90 days. The top 5 are responsible for half of them.
Comparing the real estate & utilities industry to all recorded victims, none of the gangs particularly stand out with a high percentage of victims in this industry. Highest are BlackBasta with 10 out of 80 (12.5%) and 8base with 8 out of 72 (11.1%) victims.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
In total 20 countries recorded ransomware victims with the US alone accounting for ~54% of all victims with identified geography, followed by the UK and France.
Property Management, Architecture and Property Developers are the top 3 sectors with most victims.
Risk Level Indicator: Moderate
The real estate & utilities industry receives a medium-risk indicator for ransomware. In the last 90 days, victims from the real estate & utilities industry accounted for 7.6% of all victims, an increase from the previous 5.8% share. Monthly activity is remarkably consistent, including the previous 90-day period ranging between 25 and 29 victims per month.
Breaking down victimology by ransomware group, LockBit3 (15) emerges as the most active and is responsible for 16.3% of the total 92 victims. However, after the February law enforcement takedown, their victim numbers fell off and BlackBasta (10, 10.8%) picked up significant numbers in March and April.
No gang stands out as having a particularly high interest in this industry.
The trend of high involvement from mid- to small-sized ransomware groups continues, with 28 out of 52 active groups in the last 90 days having victims in this industry—a trend first noticed in September of the previous year and likely to increase after the law enforcement disruption of LockBit.
Analyzing the 92 victims across 20 different countries, the United States bears the highest impact with 50 victims (54% of all), followed by the UK (8) and France with Spain (5 each).
Examining specific sectors reveals that Property Management, Architecture and Property Developers were the most frequent victims.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the external threat landscape of the real estate & utilities industry, we observe low to moderate risk across monitored categories.
Observed Advanced Persistent Threat (APT) campaigns have decreased to a low-risk level, as the past 90 days were relatively quiet, with real estate & utilities victims detected in 1 out of 9 campaigns (11%). The observed campaign had mixed TTPs attributed to both Chinese and North Korean groups, pointing towards North Korean hackers hired by Chinese contractors.
Phishing received a low-risk indicator, as we have not observed any phishing incidents related to real estate or utilities beyond energy, which were covered in the Energy industry report.
Ransomware remains a significant concern and warrants a moderate risk level. This industry comprised 7.6% of all victims in the last 90 days, a slight increase from 5.8% in the previous period. LockBit3 (15 victims) and BlackBasta (10 victims) were the two most active gangs.