Ransomware gang demanded $1M from California construction company System Pavers

Santa Ana construction company System Pavers yesterday confirmed it notified an undisclosed number of people about a September 2024 data breach that compromised private information.

System Pavers has not disclosed what types of data were compromised or who is affected, but the company is offering victims free credit monitoring through Experian. Such an offer usually implies that Social Security numbers and/or other private info that could be used for identity fraud was compromised in the breach.

Ransomware gang Medusa in October 2024 claimed responsibility for the attack and demanded System Pavers pay a $1 million ransom within one week, or else Medusa said it would put stolen data up for auction.

System Pavers has not verified Medusa’s claim. We do not yet know if the company did or will pay a ransom, or how attackers breached System Pavers’ network. Comparitech contacted System Pavers for comment and will update this article if it replies.

“On October 4, 2024, System Pavers became aware of suspicious activity affecting systems within our network,” System Pavers’ notice to victims states. “Through the investigation, we learned that an unauthorized actor accessed certain data between September 20, 2024 and October 4, 2024.”

Eligible victims have until May 30, 2025 to enroll in free credit monitoring.

Who is Medusa?

Medusa first surfaced in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. The group runs a ransomware-as-a-service business in which customers pay Medusa to use its malware and infrastructure to launch attacks and collect ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to decrypt their systems and for not selling or publishing stolen data.

Medusa has claimed 116 confirmed ransomware attacks to date, compromising about 2.5 million records. It’s average ransom across these attacks is $687,000.

Medusa’s other recent claims include a $2 million demand from the UK’s HCRG Care Group, a $320,000 demand from the Laurens County, SC school district, and a $400,000 demand from Bell Ambulance in Wisconsin.

Medusa in 2025 has claimed another 49 unconfirmed attacks that haven’t been acknowledged by the targeted organizations.

Ransomware attacks on US construction

Ransomware attacks on US construction companies can lock down computer systems and steal data. Companies must then either pay a ransom or face extended downtime, data loss, and putting customers at increased risk of fraud. Ransomware can disrupt communication systems, access to files, ordering, billing, payroll, websites, and other critical operations.

In 2024, Comparitech researchers logged 30 confirmed ransomware attacks on US construction companies, up from 23 the year prior. The number of records breached is lower than most other industries: 113,000 in 2023 and 110,000 in 2024. The average ransom is $418,000.

Other recently confirmed attacks on US construction companies include:

• Lighthouse Electric Company notified 7,218 people following an October 2024 data breach claimed by RansomHub
• InterCon Construction notified 6,634 people of a November 2024 data breach claimed by Hunters International
• James H Maloy suffered a breach in November 2024 claimed by Akira
• American Plumbing & Heating Corporation notified 962 people of a December 2024 data breach claimed by RansomHub

Ransomware groups claimed another 193 unconfirmed attacks in 2024 and 45 so far this year that haven’t been acknowledged by the targeted organizations.

About System Pavers

Based in Santa Ana, California, System Pavers is a residential outdoor construction company with a focus on pavers (i.e. outdoor flooring). It has about 500 employees and has locations in Arizona, Colorado, Oregon, Washington, Texas, and California. The company website states it has served 90,000 homeowners since 1992.