Image: Resecurity
The DragonForce ransomware group has launched a major cyberattack against organizations in Saudi Arabia, marking its first known attack on a large KSA enterprise entity. The attack, disclosed in a recent Resecurity report, which was first announced on February 14, 2025, resulted in the exfiltration of over 6 TB of confidential data.
The timing of the attack appears to be strategic, with the extortion deadline set for February 28, 2025, just one day before the start of Ramadan. This deadline has now passed, and true to their word, DragonForce has released the stolen data, which includes sensitive documents related to the company’s operations and clients.
The choice of targeting the real estate and construction sector in KSA is likely due to several factors. These industries are major contributors to the non-oil economy, with numerous large-scale projects involving multi-billion-dollar investments. Additionally, these companies often have complex IT infrastructures and handle vast amounts of sensitive data, making them attractive targets for cybercriminals.
DragonForce has been steadily expanding its reach since it first appeared on the scene in December 2023. Operating on a Ransomware-as-a-Service (RaaS) model, the group has a sophisticated affiliate network and offers one of the highest commission rates on the Dark Web, up to 80% of successful ransom payments.
The group is known for its advanced tactics, including the use of customized CAPTCHA filters on its data leak site (DLS) to prevent automated indexing by cybersecurity platforms. This makes it more challenging for researchers to track their activities and gather intelligence.
DragonForce is actively exploiting multiple vulnerabilities, including:
- CVE-2021-44228
- CVE-2023-46805
- CVE-2024-21412
- CVE-2024-21887
- CVE-2024-21893
“DragonForce typically begins its attacks by phishing emails or exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) solutions,” the report states. “Data exfiltration and subsequent publication are fully automated. A WebDAV server will also be initiated, and the payload will transmit all collected files to the DragonForce server.”
The DragonForce ransomware attack on Saudi Arabia signifies an escalating cyber threat targeting high-value industries in the MENA region. Organizations must act now to implement proactive security measures, prevent data breaches, and disrupt the ransomware kill chain before further incidents occur.
Related Posts:
- DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code
- PipeMagic Trojan Exploits Fake ChatGPT App to Target Saudi Arabian Organizations
