Ransomware victim disclosure
← All victimsO'Shea Builders
Claimed by Medusa · listed 1 year ago
Status timeline
- ListedMar 29, 2025
- Data leakeddate unknown
At a glance
- Group
- Medusa
- Status
- Data leaked
- Country
- United States
- Sector
- Construction
- Listed on leak site
- Mar 29, 2025
- Data size
- 120.50 GB
- Records
- 137 employees
About the victim
AI dossier — public-source company profileO'Shea Builders is a commercial construction-services provider founded in 1902, headquartered in Springfield, Illinois with additional offices in Decatur and Peoria. The company specializes in general contracting, construction management, design-build, civil engineering, and building maintenance services across Central Illinois.
- Industry
- Commercial Construction Services
- Address
- 3401 Constitution Dr, Springfield, Illinois 62711, United States
- Employees
- 137
- Founded
- 1902
Attack summary
Severity: high — Confirmed exfiltration and publication of 120.50 GB of data from an established business. Likely includes employee PII, client contracts, and operational/financial data; no encryption mentioned but data is already public, indicating maximum damage has occurred.Medusa claims to have exfiltrated 120.50 GB of data from O'Shea Builders. The group has published the data; no ransom demand is stated, indicating a pure extortion or reputational attack.
Data the group says was taken
AI dossier — extracted from the leak post- Corporate records
- Employee information
- Client project data
- Financial documents
- Operational files
What the group claims
O'Shea Builders (founded in 1902) is a commercial construction-services provider in Illinois with offices in Springfield and Peoria. O'Shea Builders provide general contracting, construction management, design build, civil and building maintenance services. O'Shea Builders corporate office is located in 3401 Constitution Dr, Springfield, Illinois, 62711, United States and has 137 employees. The total amount of data leakage is 120.50 GB
Sources
Source
Indexed 1 year agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

