Here is the complete article.

title: "GökNur Gıda: Dreamfyre Ransomware Leak of 10.7 TB" date: 2026-06-28 slug: goknur-gida-dreamfyre-ransomware

GökNur Gıda: Dreamfyre Ransomware Leak of 10.7 TB

The ransomware group Dreamfyre has claimed responsibility for a large-scale attack on GökNur Gıda İş Süreçleri (operating as Çağlar Doğru, goknur.com.tr), one of Turkey's leading food industry firms. According to a claim surfaced on June 26, 2026 and reported by threat intelligence firm DeXpose, the group encrypted more than 100 servers and exfiltrated over 10 terabytes of company data. The actors state they have already sold the bulk of the haul and dumped the remainder publicly, marking one of the more significant claimed breaches in the Turkish food and manufacturing sector this year.

What Happened

On June 26, 2026, Dreamfyre listed GökNur Gıda on its leak infrastructure, claiming a successful compromise of the company's internal environment. In its own statement, the group said: "We recently leaked 10.7 TB of data belonging to GökNur Gıda A.Ş., sold 9.3 TB of data, and shared 1.4 TB of data with the public. The company has over 100 encrypted servers."

The claim describes a classic double-extortion operation. Rather than relying solely on encryption to force payment, the actors exfiltrated data first, then encrypted systems, and finally monetized the stolen files through both private sale and public exposure. The reference to more than 100 encrypted servers suggests the intrusion reached deep into GökNur's production and back-office infrastructure rather than touching only a single isolated system. As of reporting, the breach is a threat-actor claim corroborated by DeXpose's monitoring; GökNur Gıda had not issued a public confirmation.

What Was Taken

Dreamfyre claims a total dataset of 10.7 TB tied to GökNur Gıda. The actors break this down into 9.3 TB reportedly sold to undisclosed buyers and 1.4 TB released to the public. A volume of this size in a food-industry environment typically spans corporate and operational records, including financial and accounting files, employee and HR records, supplier and distribution contracts, customer and partner data, internal email, and potentially proprietary production or recipe documentation.

The split between sold and dumped data is significant. The 9.3 TB sold privately is the more dangerous portion for the victim and its partners, because it may already be in the hands of motivated buyers using it for fraud, follow-on intrusions, or competitive advantage, with no visibility for defenders. The 1.4 TB public dump serves as proof of compromise and as leverage, while also exposing GökNur's employees, suppliers, and customers to phishing and identity-based attacks.

Why It Matters

The food production and processing sector sits at the intersection of critical infrastructure and just-in-time manufacturing, making it an attractive ransomware target. Production downtime carries immediate, tangible costs: spoiled inventory, missed shipments, and contractual penalties create strong pressure to pay quickly. With more than 100 servers reportedly encrypted, GökNur faces a potentially severe operational disruption on top of the data exposure.

For defenders, this incident is a reminder that supply chain risk flows outward from a single victim. Stolen supplier and customer records expose GökNur's business partners to targeted phishing and business email compromise that leverages real contract details and contacts. The private sale of 9.3 TB means the exposure window may have opened well before the public claim, and downstream organizations should treat any relationship with GökNur as a potential exposure vector. The case also underscores that Turkish and regional manufacturers remain squarely within the targeting scope of established extortion crews.

The Attack Technique

Dreamfyre's public statement does not disclose an initial access vector, and no confirmed technical indicators have been published at the time of writing. Based on the pattern of the claim, the operation aligns with the standard ransomware kill chain: initial access, internal reconnaissance and privilege escalation, lateral movement across the server estate, bulk data exfiltration, and finally mass encryption.

Common entry points for intrusions of this profile include compromised or reused credentials harvested by infostealer malware, exposed remote access services such as RDP or VPN portals, unpatched internet-facing applications, and phishing. The ability to reach and encrypt more than 100 servers points to weak internal segmentation and likely the compromise of privileged or domain-level accounts, which would have allowed the actors to move freely once inside. Until GökNur or independent responders publish forensic detail, the specific initial vector remains unconfirmed.

What Organizations Should Do

Organizations in the food production sector and GökNur's broader supply chain should take the following steps:

• Hunt for exposure now: Monitor dark web leak sites, infostealer log markets, and threat-actor channels for credentials, databases, and chatter tied to your domains, executives, and key partners, including any GökNur-linked data.
• Run a compromise assessment: Proactively review your environment for unauthorized access, persistence mechanisms, and signs of exfiltration, especially if you exchange data or systems access with GökNur.
• Validate and isolate backups: Confirm that backups are current, encrypted, and stored offline or immutable so they can survive both encryption and deletion attempts.
• Harden identity and access: Enforce multi-factor authentication across all remote access and privileged accounts, eliminate reused passwords, and rotate credentials that may have appeared in infostealer logs.
• Segment the network: Limit lateral movement by separating production, back-office, and administrative environments and tightly controlling privileged account use.
• Engage professional response: Involve incident response specialists, threat analysts, and legal counsel before taking any action, and do not communicate with the threat actor without expert guidance.

Sources: Dreamfyre Ransomware Attack on GökNur Gıda İş Süreçleri - DeXpose