A recent cyberattack by the DragonForce ransomware group has caused havoc for organizations in Saudi Arabia. The attack specifically targeted a well-known real estate and construction firm based in Riyadh, resulting in the theft of a massive 6TB of sensitive data.
Resecurity, a cybersecurity advisory firm, issued a warning about the breach on February 14, 2025. The threat actors behind the attack demanded a ransom and threatened to release the stolen data if their demands were not met by February 27, just before the start of Ramadan.
In a new development, DragonForce has now made good on their threat by publishing the stolen data on a dedicated leak site separate from their main platform. This group operates on a Ransomware-as-a-Service (RaaS) model, offering tools and resources to other cybercriminals in exchange for a cut of the ransom payments. To evade detection by cybersecurity firms, their leak site features advanced CAPTCHA mechanisms.
DragonForce has been active since December 2023, with their first known victim being the Heart of Texas Region MHMR Center. Over time, they have refined their techniques, using sophisticated encryption methods, TOR-based communications, and secure payment systems like Bitcoin wallets.
The group recruits affiliates through the RAMP underground forum, offering generous commission rates of up to 80% of the ransom proceeds. These affiliates communicate via TOR-based instant messaging and must demonstrate their ability to access victim networks to join. DragonForce provides support services to its affiliates, including direct victim intimidation, decryption tools, and customizable ransomware builders.
DragonForce typically gains initial access through phishing attacks and exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services. They use a dual extortion strategy, encrypting data and threatening to release it if ransom demands are not met. To further pressure victims, they have been known to release audio recordings of ransom negotiations.
The recent attack in Saudi Arabia highlights the attractiveness of the Middle East to ransomware groups due to wealthy targets, cybersecurity weaknesses, and geopolitical factors. Resecurity emphasizes the urgent need for enhanced cybersecurity measures to protect critical national assets and sensitive information in the region.