DragonForce Ransomware Strikes Saudi Arabia, Exfiltrates 6TB of Sensitive Data
A recent ransomware attack by the DragonForce group has targeted a prominent real estate and construction firm in Riyadh, Saudi Arabia, resulting in the theft of over 6TB of sensitive data. The breach was first announced by the threat actors on February 14, 2025, with a ransom deadline set for February 27 just ahead of Ramadan.
After the deadline passed, DragonForce published the stolen data on a dedicated leak site (DLS), separate from its primary platform. The group employs advanced CAPTCHA mechanisms to evade automated tracking by cybersecurity firms, complicating monitoring efforts.
Operating under a Ransomware-as-a-Service (RaaS) model, DragonForce has expanded its affiliate network, offering tools and resources to cybercriminals in exchange for a share of ransom payments. Affiliates are recruited via the RAMP underground forum, with commissions reaching up to 80% one of the highest rates in the cybercrime market. Communication occurs through TOR-based instant messaging (TOX), and affiliates must demonstrate network access to qualify.
The group provides additional support, including "call services" for victim intimidation, NTLM/Kerberos hash decryption tools, and a customizable ransomware builder for tailored attacks. DragonForce also employs dual extortion tactics, encrypting data while threatening public leaks if demands are unmet. In some cases, they release audio recordings of ransom negotiations to pressure victims further.
Initial access is often gained through phishing, RDP, and VPN vulnerabilities, with the Middle East emerging as a prime target due to wealthy organizations, cybersecurity gaps, and geopolitical factors. Since its emergence in December 2023, DragonForce has evolved its tactics, leveraging TOR-based communications, secure Bitcoin payments, and sophisticated encryption methods.
The attack on Saudi Arabia underscores the growing threat of ransomware in the region, particularly as groups like DragonForce refine their operations to maximize impact.
Source: https://www.infosecurity-magazine.com/news/6tb-data-stolen-saudi-cyber-attack/
Drakontas LLC cybersecurity rating report: https://www.rankiteo.com/company/drakontas-llc
"id": "DRA1770324776",
"linkid": "drakontas-llc",
"type": "Ransomware",
"date": "2/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Real Estate and Construction',
'location': 'Riyadh, Saudi Arabia',
'type': 'Real estate and construction firm'}],
'attack_vector': ['Phishing', 'RDP vulnerabilities', 'VPN vulnerabilities'],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data'},
'date_publicly_disclosed': '2025-02-14',
'description': 'A recent ransomware attack by the DragonForce group has '
'targeted a prominent real estate and construction firm in '
'Riyadh, Saudi Arabia, resulting in the theft of over 6TB of '
'sensitive data. The breach was first announced by the threat '
'actors on February 14, 2025, with a ransom deadline set for '
'February 27. After the deadline passed, DragonForce published '
'the stolen data on a dedicated leak site (DLS). The group '
'employs advanced CAPTCHA mechanisms to evade automated '
'tracking by cybersecurity firms.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '6TB',
'identity_theft_risk': 'High'},
'motivation': ['Financial gain', 'Data exfiltration'],
'post_incident_analysis': {'root_causes': ['Phishing',
'RDP vulnerabilities',
'VPN vulnerabilities']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'DragonForce'},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': 'DragonForce',
'title': 'DragonForce Ransomware Strikes Saudi Arabia, Exfiltrates 6TB of '
'Sensitive Data',
'type': 'Ransomware'}