A new ransomware assault by DragonForce has rattled the Kingdom of Saudi Arabia, targeting a major real estate and construction firm based in Riyadh and resulting in the exfiltration of over 6TB of sensitive data. The incident, reported in a recent advisory by Resecurity, underscores the increasing sophistication of cyber threats in the region.

Resecurity stated, “The combination of wealthy targets, cybersecurity gaps and geopolitical factors make the Middle East an attractive region for ransomware groups to exploit, making these attacks more profitable.”

Methodology and Tactics

• Ransomware-as-a-Service (RaaS):  DragonForce operates on a RaaS model, continuously expanding its affiliate network via the RAMP underground forum. It utilizes phishing, and exploits vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services for initial access.
• Dual Extortion:
  • Encrypts victim data while threatening to release it publicly if ransom demands are unmet.
  • Releases audio recordings of ransom negotiations to further pressure victims.
• Affiliate Support:
  • Offers ‘call services’ for direct victim intimidation.
  • Provides NTLM/Kerberos hash decryption tools and a customizable ransomware builder to optimize encryption settings.
• Secure Communications:
  • Employs TOR-based communications and secure payment methods, including Bitcoin wallets and private chat systems.

Timeline of the Attack

• December 2023:
  • DragonForce emerges as a formidable ransomware group with its first known victim at the Heart of Texas Region MHMR Center.
• February 14, 2025:
  • The breach is publicly announced by threat actors, who demand a ransom to prevent the publication of stolen data.
• February 27, 2025:
  • A ransom deadline is set, one day before the start of Ramadan, amplifying pressure on the victim.
• Post-Deadline:
  • Following the expiration of the deadline, DragonForce publishes the exfiltrated data on a dedicated leak site (DLS) equipped with advanced CAPTCHA mechanisms to deter automated monitoring.

Impact and Industry Implications

• Data Breach Magnitude: Over 6TB of sensitive data compromised, marking the first major ransomware incident targeting a large KSA enterprise.
• Sector-Wide Warning: The attack signals an urgent need for enhanced cybersecurity measures to protect critical national assets and sensitive information for those operating in a smart built environment in the Middle East.
• Rising Cyber Threats: Reflects broader trends in the MENA region, with sophisticated ransomware groups increasingly exploiting vulnerabilities in high-value targets.They further emphasized, “The DragonForce ransomware targeting KSA and the associated data leak underscore the urgent need for enhanced cybersecurity measures.”

This incident not only highlights the growing menace of ransomware in Saudi Arabia but also serves as a critical reminder for corporate leaders and industry stakeholders to bolster their cybersecurity frameworks. As cybercriminals evolve and expand their reach, proactive measures and robust defenses are essential to safeguard vital infrastructures and ensure business continuity in a rapidly digitalizing world.