Move over United States and Europe, the Middle East region of the world is experiencing an uptick in ransomware attacks, including the latest breach of Coca-Cola by the Everest gang just this past week. So, what's the reasoning behind the dramatic increase? Cybernews has the inside scoop.
Ransomware gangs have descended on the Middle East in the past several years, with an uptick in high-profile attacks taking place over the last six months – and according to one Silicon Valley insider, there is a good reason for all the action.
Martin Vigo, lead security researcher at California-based cybersecurity firm AppOmni says ransomware activity in the Middle East, and especially in the United Arab Emirates (UAE), “has grown significantly in both volume and complexity over the past couple of years.”
Vigo says the region has become "a high-priority target for many cybercriminal groups," singling out the Everst ransomware cartel and its latest conquests.
Everest gang rattles the Middle East
With a Ransomlooker victim count of 248, the Russian-linked Everest gang first emerged on the scene in July 2021. Believed to be connected to the BlackByte ransomware group, past big-name victims include AT&T and the Radisson Country Inn and Suites hotel chain.
On May 22nd, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers scattered throughout the region.
Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler, the ransomware group also reportedly made away with an alleged 23 million records.
Vigo said what’s most noteworthy about Everest is its “adaptability” and the fact that the group “does not rely on a single tactic or specific tools.”
“They adjust tactics based on the target and the opportunity,” Vigo said. “They are quite bold in their targeting, unlike some groups that focus primarily on commercial enterprises. Everest doesn’t hesitate to go after sensitive sectors, government agencies, and hospitals,” he added.
Coca-Cola Middle East, located in the UAE capital of Abu Dhabi, is also not the first major entity to be hit by Everest this month.
Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, as well as Abu Dhabi’s Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB) on May 26th.
#Everest #Ransomware group has allegedly compromised the systems of the Department of Culture and Tourism in Abu Dhabi (@dctabudhabi), a government entity responsible for preserving cultural heritage, managing tourism strategies, and supporting creative industries in Abu Dhabi… pic.twitter.com/39Fpen7yrS
undefined VenariX (@_venarix_) May 26, 2025
Furthermore, in January, millions of H&M customers in the UAE had their personal information stolen by cybercriminals and subsequently posted for sale on the popular Breached hacker forum.
And last June, Cybernews reported the ultra-luxurious City of Dubai’s government network systems were hit with ransomware, claimed by a threat group known as the Daixin Team.
More money does not equal more cybersecuity
Vigo spills the tea and tells Cybernews there are myriad reasons why the Middle East region has become a hotbed of ransomware activity.
One of the most prevalent is "the economic factor," the AppOmni threat intelligence specialist said.
Vigo points out that many organizations in the Gulf are part of critical infrastructure or high-value sectors, such as energy, government, telecom, and aviation.
“These sectors naturally attract attackers,” he said, mainly due to the critical operations the organizations are responsible for. “These are entities that cannot afford long periods of disruption, which makes them more likely to pay in the event of a ransomware attack,” he said.
And pay they do, which leads to the next factor, guaranteed ransom payments.
Let’s face it, almost 95% of ransomware groups are in it for the money, and Vigo explains that there is a high rate of ransom payments unique to the Middle East region.
“For various reasons, many victims choose to pay – whether it's to protect business continuity, avoid reputational damage, or due to the absence of mandatory breach disclosure laws,” Vigo said.
For example, Everest has shifted its tactics to rely less on encryption to lock down systems and more on stealing and leaking data. “That shift tells you a lot about how ransomware has matured -- it’s no longer just about disruption, it’s about pressure and public exposure,” said Vigo.
Still, while some campaigns appear to be financially driven, others may be politically motivated or ideologically aligned, Vigo noted.
Vigo said there is a growing mix of both “global and regional threat actors” operating in the area, with “major ransomware-as-a-service groups working alongside more regionally motivated actors.”
Either way, when organizations are known to pay their attackers, “That in itself creates a vicious cycle where the more successful attacks are, the more attractive the region becomes to these groups,” he said.
"They [Everest] also operate a dark web leak site, which they use as a pressure mechanism. Victims are publicly named, and partial datasets are published to demonstrate the seriousness of the breach. This creates reputational and legal pressure, particularly for high-profile targets, and increases the likelihood of a payout.”
- Martin Vigo, lead security researcher at AppOmni on the Everest ransomware group's evolving tactics
The third factor is what Vigo calls “a clear shift in attacker confidence.”
“Attackers are more willing to go after public institutions, and that’s becoming a trend,” Vigo pointed out.
Noting the recent attack on Abu Dhabi’s Culture and Tourism department as more commonplace, Vigo said that even a few years ago, you would rarely see ransomware actors targeting state-affiliated organizations or government ministries in the region.
“Everest is quite bold in their targeting and doesn’t hesitate to go after sensitive sectors, government agencies and hospitals,” Vigo said.
Finally, Vigo blamed the recent targeting in the region on the “pace of digital transformation in the Gulf.”
The security researcher said that while advancements in technology have been impressive in many Middle Eastern nations, there are many instances where cybersecurity hasn’t quite kept up, leaving networks insecure.
“Rapid adoption of cloud services, remote access, and connected systems has introduced new vulnerabilities, and attackers are quick to exploit them,” Vigo said, adding that security teams have observed “many initial breaches happen through exposed remote services or compromised credentials often purchased on underground forums.”
Your email address will not be published. Required fields are markedmarked