Major Cyberattack Cripples Georgia Real Estate Industry: What Security Leaders Need to Know

Published: November 30, 2025

A ransomware attack on Georgia's Superior Court Clerks' Cooperative Authority (GSCCCA) has brought the state's real estate industry to a grinding halt, affecting thousands of transactions and highlighting critical vulnerabilities in government infrastructure that supports essential business operations.

The Attack

The GSCCCA announced Tuesday, November 23, 2025, it was restricting access to its website and related services due to "a credible and ongoing cybersecurity threat." The Devman ransomware group has claimed responsibility, allegedly exfiltrating 500 gigabytes of data from the authority that manages real estate records for the entire state.

The timing couldn't be worse. Real estate professionals report cascading failures across Georgia's property market during one of the busiest periods of the year. One broker reported 15 closings affected in a single week, with compressed holiday deadlines amplifying the crisis.

Part of a Broader Pattern

The Georgia attack is not an isolated incident. November 2025 has seen a coordinated wave of attacks targeting real estate infrastructure:

SitusAMC Banking Vendor Breach

Just days before the Georgia attack, SitusAMC, a major real estate finance vendor serving over 1,500 clients including JPMorgan Chase, Citi, and Morgan Stanley, suffered a cyberattack on November 12, 2025. Hackers stole accounting records, legal agreements, and customer data affecting residential mortgage holders. The FBI is investigating this supply chain attack that demonstrates the serious risks facing even well-defended financial services sectors.

Historical Context

This follows a pattern of real estate sector targeting throughout 2025:

• April 2025: Multiple real estate firms in the US were hit by ransomware groups exploiting a Windows zero-day vulnerability (CVE-2025-29824)
• August 2023: California-based Rapattoni, which hosts Multiple Listing Services nationwide, was hit by ransomware, disrupting property listings across the country
• April 2025: Iowa County, Wisconsin experienced a ransomware attack that deleted a "significant portion" of real estate records, deeds, and tax processing documents

The real estate and mortgage industries have been particularly vulnerable to data breaches throughout 2024-2025, with over 47 million Americans having their financial information exposed through mortgage lender breaches.

Real Business Impact

This incident demonstrates how ransomware attacks extend far beyond the initial victim. When critical government infrastructure goes down, entire industries feel the ripple effects:

• Transaction paralysis: Buyers and sellers cannot access essential documents like home titles needed to close deals
• Financial consequences: Delayed closures could cost buyers their guaranteed mortgage interest rates in a volatile market
• Ecosystem disruption: Thousands of professionals—closing attorneys, title companies, lenders, and agents—are unable to complete their work
• Revenue loss: Each delayed transaction represents frozen capital and lost commissions across multiple parties

Real estate broker Maja Sly described the situation bluntly: "They're basically being held hostage right now. There's a ransom, I'm sure. But they haven't given any indication when this is going to be over. It couldn't have happened at a worse time."

The Data at Risk

Cybersecurity experts suggest the compromised data likely includes:

• Driver's license information
• Social Security numbers
• Bank account details from real estate transactions
• Personal contact information
• Property ownership records

While credit card data theft appears unlikely, the exposure of personally identifiable information (PII) and financial records creates significant identity theft and fraud risks for thousands of Georgia residents involved in recent property transactions.

The Devman Ransomware Group

Devman represents the latest evolution of a sophisticated ransomware operation allegedly led by longtime ransomware leader Oleg Nefedov (known as "Tramp"). The group has also claimed responsibility for attacks on:

• Procure.com
• Oxford University Clinical Research Unit

This group's emergence fits into the broader ransomware ecosystem trends of 2025, where multiple sophisticated groups are conducting coordinated attacks across multiple sectors simultaneously.

What This Means for CISOs

This attack underscores several critical security realities:

1. Third-Party Risk is Business Continuity Risk

Organizations must understand which government agencies and service providers are single points of failure for critical business processes. Your incident response plan needs to account for scenarios where external dependencies become unavailable for extended periods.

The SitusAMC breach demonstrates that even the financial services industry—with its vast resources and strict regulations—remains vulnerable to supply chain attacks.

2. Data Residency Matters

When government agencies hold sensitive data about your customers or transactions, you need to understand their security posture. For industries heavily dependent on government systems, this means advocating for transparency around cybersecurity practices and potentially maintaining alternative access to critical records.

3. Ransomware Groups are Getting More Sophisticated

Devman's 500GB data exfiltration before encryption suggests advanced persistent threat capabilities. Modern ransomware isn't just about encryption—it's about double extortion through data theft and potential regulatory exposure.

As we documented in our analysis of August 2025's unprecedented cyber attack surge, ransomware groups like Qilin benefited from an influx of affiliates following other groups' shutdowns, leading to more coordinated and sophisticated attacks.

4. Recovery Timeframes are Unpredictable

Despite the GSCCCA's commitment to restoring systems "as soon as possible," affected businesses have no timeline for recovery. This ambiguity makes planning nearly impossible and highlights why resilient alternatives and workarounds must be part of operational planning.

Industry-Specific Vulnerabilities

Real estate has become a prime target because:

1. High-value transactions: Single wire transfers often exceed hundreds of thousands or millions of dollars
2. Time-sensitive processes: Closing deadlines create pressure to pay ransoms quickly
3. Multiple stakeholders: Each transaction involves numerous parties, multiplying the impact
4. Regulatory compliance: RESPA, TILA, and state-specific requirements create additional pressure
5. Legacy systems: Many county recorder and clerk systems run on outdated infrastructure

As highlighted in our coverage of the most common methods behind major data breaches, attackers frequently exploit unpatched vulnerabilities in aging systems—a particular problem in government infrastructure.

The Human Factor: When Defenders Become Attackers

The real estate industry has also faced unique threats from within the cybersecurity ecosystem itself. Our investigation into cybersecurity experts indicted for BlackCat ransomware operations revealed how former incident responders at ransomware negotiation firms allegedly conducted the very attacks they were hired to prevent—including attacks on real estate businesses.

In one documented case, an Alaska real estate broker paid thousands of dollars to a "recovery firm" that simply paid the ransom themselves and marked up the price, highlighting the complex trust dynamics in the ransomware ecosystem.

Lessons for Your Organization

Whether you're in real estate, healthcare, finance, or any sector dependent on government infrastructure:

Immediate Actions

1. Map your critical dependencies on government systems and third-party services that could become unavailable due to cyberattacks
2. Develop contingency plans for operating when those systems are down—even if those plans are imperfect workarounds
3. Review notification procedures with partners and customers about transaction delays due to third-party incidents
4. Conduct emergency tabletop exercises specifically focused on third-party infrastructure failures

Strategic Initiatives

5. Assess your data held by government agencies and understand your potential exposure if those systems are breached
6. Strengthen vendor risk management programs to include government agencies in your third-party risk assessments
7. Implement alternative verification processes for critical transactions that don't rely solely on online database access
8. Build redundancy into critical workflows where possible, including backup methods for title searches and document verification
9. Consider cyber insurance that specifically covers business interruption from third-party failures

Communication Planning

10. Prepare stakeholder communications templates for various third-party failure scenarios
11. Establish clear escalation procedures for when critical dependencies fail
12. Create customer education programs about verifying wire instructions and recognizing fraud attempts during system outages

The Broader 2025 Threat Landscape

The Georgia attack fits into what cybersecurity experts are calling an unprecedented year for cyberattacks. Our comprehensive analysis of major cyber attacks in 2025 shows:

• 126% increase in ransomware attacks globally
• 1,925 attacks per organization per week on average
• 47% year-over-year increase in weekly cyber attacks per organization in Q1 2025
• Supply chain attacks have become the preferred method for reaching high-value targets

Recent high-profile incidents include:

• OnSolve CodeRED emergency notification system crippled by INC Ransom, affecting hundreds of US municipalities
• F5 networks breach by nation-state actors, exposing source code and vulnerabilities
• Marks & Spencer's £300 million loss from Scattered Spider ransomware during Easter weekend

Business Email Compromise: The Hidden Threat

While ransomware grabs headlines, Business Email Compromise (BEC) remains the number one cybersecurity threat facing real estate. According to FBI statistics:

• BEC losses with real estate nexus: $446.1 million in 2022
• This is 7x higher than all ransomware losses across all industries in 2023
• BEC losses have risen at an alarming rate since 2015

During system outages like the Georgia attack, BEC risk increases dramatically as normal verification procedures break down and urgency overrides caution.

Regulatory and Legal Implications

The Georgia breach will likely trigger:

1. Class action lawsuits from affected consumers and businesses
2. Regulatory scrutiny of government cybersecurity practices
3. Insurance claims for business interruption and cyber liability
4. Legislative action to mandate security standards for government data systems

The mortgage industry has already seen record-breaking settlements, with LoanDepot facing the most expensive mortgage data breach settlement in history after exposing 16.9 million customers' data.

What CISOs Should Tell Their Board

When presenting this incident to leadership, emphasize:

1. It's not just about our security: Even with perfect internal controls, critical business processes depend on third-party security
2. Geographic diversification doesn't help: State-level infrastructure failures affect all businesses operating in that jurisdiction
3. Recovery time is unpredictable: Unlike internal incidents where you control remediation, third-party incidents have no guaranteed timeline
4. Financial impact extends beyond direct costs: Consider lost revenue, customer churn, regulatory fines, and reputational damage
5. This will happen again: The real estate and financial services sectors are prime targets, and attacks are increasing in frequency and sophistication

Looking Forward

As one Georgia broker noted, the entire industry is being held hostage with no clear timeline for resolution. That's not just a Georgia problem—it's a preview of what can happen when critical infrastructure falls to ransomware anywhere.

The convergence of attacks on GSCCCA, SitusAMC, and other real estate infrastructure in November 2025 suggests either:

• Coordinated targeting of the real estate sector by multiple threat actors
• Increased reconnaissance and intelligence sharing among ransomware groups
• Opportunistic exploitation of known vulnerabilities in real estate infrastructure

Organizations must prepare not just for direct attacks, but for the cascading failures that occur when shared infrastructure—especially government systems—becomes compromised.

Additional Resources

For more information on protecting your organization:

• Understanding Cyber Breach Costs in 2024: A Comprehensive Guide
• The 15 Most Devastating Data Breaches in History
• Global Data Protection Enforcement Beyond GDPR
• Case Study: 2024 Vendor Breaches and Third-Party Risk Management Failures

About the Author: This analysis was prepared by the team at Breached Company, tracking and analyzing cybersecurity incidents that impact businesses worldwide.

Subscribe to stay informed about the latest cybersecurity threats and how to protect your organization.

The Georgia real estate crisis serves as a stark reminder that cybersecurity isn't just about protecting your own systems. In our interconnected economy, your organization's resilience depends on the security posture of every critical partner in your value chain—including government agencies you may have never thought to assess.