Rezayat Group Allegedly Breached in Ransomware Attack by Everest Gang
Saudi Arabia’s Rezayat Group, a multibillion-dollar industrial services conglomerate, has reportedly become the latest victim of the Everest ransomware group. The threat actors posted Rezayat’s name and a data sample on their dark web leak site, suggesting they exfiltrated approximately 10GB of sensitive information.
The Rezayat Group oversees a network of 25 companies across engineering, logistics, construction, and manufacturing, with operations in 13 countries and a global workforce exceeding 20,000 employees.
The Everest group claims to have accessed confidential files including client contracts, technical schematics, and internal reports. While full verification remains pending, researchers have reviewed screenshots shared by the attackers which include:
- Signed contract documents allegedly tied to Rezayat clients
- Technical drawings believed to represent industrial infrastructure
- Internal communications and operations-related reports
The Cybernews research team, after examining the leak, warned:
“As the data includes reports and contracts with other companies, the alleged data breach could affect Rezayat’s reputation with its clients. Moreover, attackers could use the leaked data to craft supply chain attacks.”
Rezayat has yet to comment on the breach allegations. The screenshots shared thus far appear to be intended as pressure tactics, a common ransomware strategy where partial data is leaked to push victims into ransom negotiations.
Everest Ransomware: A Persistent Threat Actor With a Global Victim List
The Everest ransomware cartel has a known history of targeting high-profile organizations and critical sectors. First emerging in 2021, the group has ties to the Russia-linked BlackByte syndicate, and has steadily expanded its reach across continents.
In recent months, Everest has claimed responsibility for attacks on major firms including:
- Mediclinic Group, a global healthcare provider
- Coca-Cola, where it reportedly stole sensitive internal and HR documents
- AT&T, which it claimed to have breached in 2022, offering access to its corporate network
Everest operators are known to exploit compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement within target environments. According to Cybernews’ Ransomlooker, the group has listed over 100 victims in the past year alone.
Analysts note a growing focus on the Middle East region, suggesting it is now a key target for ransomware cartels due to the region’s expanding industrial infrastructure and global business ties.
As of now, it remains unclear whether Rezayat has engaged with the attackers or paid any ransom. However, the exposed files, if authentic, highlight the growing risk to supply chain partners and the critical services sector, where stolen documents can ripple through connected systems and clients.
The breach, if confirmed, will likely renew scrutiny over cybersecurity posture within industrial and engineering firms operating across high-value, international contracts.
