Cyber Incident Victim: Puntacana Group
Date:
May 2021
Location:
Dominican Republic
Summary
The Puntacana Group, a Dominican Republic-based services provider, fell victim to the Grief ransomware group, which exfiltrated approximately 10 GB of data and publicly listed the organization among its targets. The attackers employed a strict "Pay or Grief" extortion model, refusing negotiations or discounts while criticizing victim companies for inadequate data protection compliance and wasteful spending on incident response consultants and cyber insurance instead of paying ransoms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Grief ransomware group publicly listed Puntacana Resort & Club among its victims in late May 2021, following a series of cyberattacks against multiple organizations. Grief, a newly emerged threat actor, began operating a Tor-based leak site to name victims and publish stolen data shortly before this incident. The attack against Puntacana Group—a Dominican Republic-based conglomerate operating in hospitality and services—resulted in the exfiltration of approximately 10 GB of corporate data. This breach occurred alongside intrusions affecting five other entities across the United States, Mexico, Italy, and the United Kingdom, including Mobile County (Alabama), La Concha confectionery company, and Porto Sant'Elpidio municipality. While Grief did not disclose intrusion dates for individual victims, all attacks occurred prior to May 26, 2021, when cybersecurity researchers first documented the group's activities. The attackers employed double-extortion tactics, threatening to release stolen data unless ransoms were paid, though specific financial demands to Puntacana were not disclosed publicly. Grief refused to confirm whether attackers maintained persistent access to victim networks post-compromise or whether exfiltrated data contained sensitive employee or customer information.
The operational impact on Puntacana Resort & Club included potential business disruption from data theft and reputational damage following public exposure on Grief's leak portal. While the exact data categories compromised were unspecified, the 10 GB dataset likely contained proprietary business information given the group's targeting of corporate entities. Grief justified targeting such organizations by criticizing their alleged insufficient data protection measures, specifically referencing GDPR non-compliance as a motivating factor. The group adopted an uncompromising negotiation stance, prohibiting third-party mediators and insurance-funded payments while implementing a strict "Pay or Grief" policy that rejected discounts or extended negotiations. No evidence suggests Puntacana engaged with the attackers or disclosed whether ransom payments were made. The incident formed part of Grief's broader strategy to pressure victims through reputational harm and operational paralysis, though the group claimed to avoid targeting healthcare providers while considering pharmaceutical and cosmetic surgery sectors viable targets. Public disclosure occurred through SuspectFile's investigative reporting after direct communication with the threat actors yielded limited technical details about the breaches.