Omrania & Associates INC Ransom Publishes 4TB of Saudi Critical Infrastructure Drawings

• .What: INC Ransom attacked Saudi Arabia's premier architecture firm and published 4TB of data after ransom refusal.
• .Who: Omrania & Associates (est. 1973), wholly-owned subsidiary of Egis Group (France, EUR 2.164B revenue). ~700 employees across Riyadh, Jeddah, and Amman. Designer of PIF Tower, Kingdom Centre, GCC HQ, KAFD Grand Mosque, Riyadh Metro stations, King Salman Park, Diriyah Boulevard District ($113.6M contract), and National Guard Township.
• .How: Double-extortion ransomware. INC Ransom's documented initial access includes exploitation of Citrix NetScaler (CVE-2023-3519), Fortinet EMS (CVE-2023-48788), FortiGate SSL-VPN (CVE-2023-27997), and spearphishing. Specific vector for Omrania undisclosed.
• .Data: 4TB published - client documents, NDAs, financial records, corporate data, business agreements, and architectural project drawings potentially spanning 53 years of Saudi critical infrastructure projects.
• .Actor: INC Ransom (MITRE G1032 / GOLD IONIC). RaaS since July 2023. 730+ total victims. Third most active ransomware group in H2 2025 (213 victims).
• .Impact: Permanent physical security exposure for PIF headquarters, GCC diplomatic complex, military facilities, metro infrastructure, and giga-project developments. Two months later, INC Ransom hit ACWA Power (400GB), establishing a Vision 2030 infrastructure targeting campaign.

On December 28, 2025, at 11:00 UTC, INC Ransom added Omrania to its Tor-hosted data leak site. Threat intelligence platforms indexed the listing within 14 hours. " CYFIRMA's Weekly Intelligence Report dated January 9, 2026 first reported the incident publicly.

The publication of the complete 4TB archive confirms ransom negotiations either failed or were not initiated.

Omrania & Associates was founded in 1973 by Basem Al-Shihabi and Nabil Fanous.

Over 53 years, it has become Saudi Arabia's most awarded architecture practice, winning the Aga Khan Award for Architecture (Tuwaiq Palace, 1998) and Construction Week Saudi Architecture Firm of the Year 2025. The firm employs approximately 700 staff across offices in Riyadh, Jeddah, and Amman, Jordan.

On November 14, 2023, French engineering giant Egis Group (EUR 2.164B revenue, 20,100 employees, 70+ countries) completed its acquisition of Omrania as a wholly-owned subsidiary.

Two months after the Omrania listing, on February 24, 2026, INC Ransom listed ACWA Power - Saudi Arabia's largest private energy company and a 44%-PIF-owned Vision 2030 execution vehicle - claiming 400GB. Both targets hold engineering drawings and technical specifications for Saudi critical infrastructure.

The sequential targeting within 60 days by the same actor suggests deliberate campaign planning.

Notably, HookPhish recorded Omrania's country as "JO" (Jordan) in the leak listing, which may indicate the Amman office as the initial point of compromise - a smaller satellite office potentially with less mature security controls than the Riyadh headquarters.

As of March 25, 2026, Omrania has issued no public acknowledgment, no SDAIA breach notification is publicly recorded, and no media statement has been released.

INC Ransom (tracked as G1032 by MITRE ATT&CK and GOLD IONIC by SecureWorks) is a Ransomware-as-a-Service operation that emerged in July 2023 with 730+ victims as of March 2026, ranking third in H2 2025 (213 victims). Affiliates retain 70-80% of ransom payments.

In May 2024, the source code (AES-128 CTR + Curve25519 Donna) was sold for $300,000, spawning Lynx ransomware (48-70% code similarity).

Initial access methods include CVE-2023-3519 (Citrix NetScaler RCE), CVE-2023-27997 (FortiGate SSL-VPN RCE), CVE-2023-48788 (Fortinet EMS SQL injection), CVE-2024-57726/57727/57728 (SimpleHelp RMM), and CVE-2025-5777 (Citrix Bleed 2, CISA KEV).

Post-exploitation: PsExec (renamed "winupd"), NTDS/Mimikatz credential harvesting, MEGASync/Rclone exfiltration, SystemSettingsAdminFlows.exe Defender disablement. CIS-origin indicators: Cyrillic kill switch in Lynx, CIS-nation avoidance.

Notable victims: NHS Dumfries & Galloway (3TB, March 2024), McLaren Health Care (743K patients, August 2024), Pennsylvania AG (5.7TB, August 2025), OnSolve CodeRED (10,000+ municipalities, November 2025), ACWA Power (400GB, February 2026).

Real estate and construction was the #1 ransomware-targeted sector in Saudi Arabia in 2025 at 20.83% of all incidents (CYFIRMA). Other Saudi construction victims include Al Bawani (DragonForce, 6TB, airbase drawings, $20M ransom) and Rezayat Group (Everest, 10GB).

The 4TB archive contains:

Client engagement documents spanning 53 years - from the 1973 GOSI Headquarters to the 2025 Diriyah Boulevard District.

Clients include the Public Investment Fund, Kingdom Holding Company, the GCC Secretariat, the Saudi National Guard, Saudi Electricity Company, Diriyah Company, and the Ministry of Housing.

Non-disclosure agreements revealing client identities, project scope, confidential terms, and JV partnership structures with international firms including HOK (PIF Tower), Henning Larsen (King Salman Park), Zaha Hadid Architects, Snohetta, Buro Happold, and Frei Otto.

Financial records including the $113.6M Diriyah Boulevard District contract, project budgets, fee structures, and payment schedules providing competitors with precise pricing intelligence.

Detailed architectural drawings potentially covering: PIF Tower (385m, sovereign wealth fund HQ), GCC Headquarters (diplomatic complex), National Guard Township (6,000+ military villas), Royal Embassy of Saudi Arabia in Amman, Riyadh Metro Western Station, Saudi Electricity Company HQ (26-hectare campus), Kingdom Centre (300m), and Diriyah Boulevard District ($63.2B giga-project).

These drawings expose floor plans, structural systems, MEP layouts, security system placement, access control points, surveillance camera positions, emergency egress routes, and structural vulnerabilities.

Unlike passwords, building layouts are permanent - they cannot be rotated without physical reconstruction.

Corporate data likely including employee PII for ~700 staff from 30+ countries and operational documents.

1. Probable Initial Access via VPN/Remote Access Exploitation. INC Ransom's five documented CVEs all target remote access. The HookPhish "JO" country listing may indicate the Amman satellite office - potentially with less hardened remote access than Riyadh HQ.

2. Credential Harvesting and Privilege Escalation. NTDS.dit dumping and Mimikatz provide domain-wide administrative credentials.

3. Lateral Movement Across Unsegmented Network. The breadth of data - client documents, NDAs, financials, project drawings, corporate data spanning 53 years - indicates flat architecture.

Drawings for National Guard facilities and PIF Tower should be in segmented, classified enclaves.

4. 4TB Exfiltration Without Detection. At 50 Mbps sustained, 4TB takes approximately 7 days. No DLP alerts triggered.

5. Detection and Response Failure. No evidence of early detection or containment. SIEM/UEBA either absent or untuned.

6. Three Months of Silence. No public statement, no SDAIA notification, no client disclosure despite exposing architectural drawings for sovereign wealth fund headquarters, military facilities, and diplomatic compounds.

Saudi Arabia:

• .PDPL Article 19 - 72-hour SDAIA notification. No notification filed. Fine: up to SAR 5M per violation; doubled for repeats.
• .PDPL Article 14 - Security measures obligation. Independent violation.
• .PDPL Criminal Provisions - Intentional/negligent disclosure: imprisonment up to 2 years + SAR 3M fine.
• .NCA ECC-2 (2024) - 114 mandatory controls. Omrania's government/military contracts likely bring it within scope.
• .Anti-Cyber Crime Law (Royal Decree M/17) - Architectural drawings for PIF HQ, National Guard, GCC HQ are arguable national security assets. Article 6: penalties up to 10 years imprisonment + SAR 5M fine.
• .SDAIA Enforcement - 48 enforcement decisions in 2025.

EU / GDPR (via Egis Group):

• .Omrania is wholly-owned by Egis Group (France). Staff from 30+ countries likely includes EU nationals.
• .GDPR Articles 5(1)(f), 32, 33, 34 apply. CNIL jurisdiction.
• .Fine: up to 4% of EUR 2.164B = EUR 86.56M (~$94M).
• .NIS2 - Egis as a large engineering firm may qualify as "important entity."

Jordan:

• .Cybersecurity Law / Cybercrime Law No. 17/2023 - Amman office data.

Client Contractual:

• .Breach of NDAs with PIF, Kingdom Holding, Diriyah Company, GCC Secretariat, National Guard, and international JV partners.
• .$113.6M Diriyah contract at risk - termination clauses for security failures.

1. Phishing-resistant MFA (FIDO2) on all internet-facing infrastructure. Neutralizes every documented INC initial access vector.

2. Network segmentation isolating sensitive project archives. National Guard floor plans should never be on the same network path as corporate NDAs. Classification tiers: Public, Commercial-confidential, Government-restricted, Military-classified.

3. DLP with volumetric alerting. 4TB sustained exfiltration should trigger alerts within hours. Block Rclone/MEGASync at proxy level.

4. EDR tuned for INC Ransom TTPs. PsExec "winupd," NTDS dumping, Mimikatz, Defender disablement - all detectable. Credential Guard to prevent LSASS harvesting.

5. Privileged Access Management with tiered administration. Separate tiers for corporate, project delivery, and classified/government project data.

6. Continuous vulnerability management prioritizing CISA KEV. CVE-2023-3519, CVE-2023-27997, CVE-2023-48788 all on KEV. Sub-72-hour patching.

7. Pre-established breach notification playbook. Three months of silence following a 4TB leak of critical infrastructure drawings is untenable.

CYFIRMA, HookPhish, RedPacket Security, Ransomware.live, Dark Web Informer, CM-Alliance, MITRE ATT&CK (G1032/S1139), Rapid7, Resecurity, Dark Reading, Infosecurity Magazine, Halcyon, BleepingComputer, Unit 42, Blackpoint Cyber, SentinelOne, MOXFIVE, Omrania Official Website, Egis Group, Wikipedia, Global Construction Review, Arab News, Construction Week, IAPP, Baker McKenzie, NCA, SDAIA