DragonForce Attacks Critical Infrastructure to Exfiltrate Data and Halt Operations

The DragonForce ransomware group has launched a significant cyberattack on critical infrastructure in Saudi Arabia, targeting a prominent real estate and construction company in Riyadh.

This marks the first time the group has targeted a major enterprise in the Kingdom, with over 6 terabytes of sensitive data exfiltrated.

The attack, announced on February 14, 2025, was strategically timed to pressure the victim into paying a ransom before Ramadan, which begins on February 28.

When the ransom was not paid, DragonForce publicly leaked the stolen data, including confidential client and operational documents.

The attack highlights a growing trend of ransomware targeting sectors like real estate and construction, which are critical to Saudi Arabia’s non-oil economy.

These industries manage vast amounts of sensitive data and operate complex IT systems, making them lucrative targets for cybercriminals.

The disruption caused by such attacks can freeze assets, halt operations, and inflict severe financial and reputational damage.

Advanced Tactics and Tools Amplify Threats

DragonForce employs sophisticated tools and techniques to carry out its operations.

The group operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates advanced payload builders that allow extensive customization of ransomware binaries.

These tools enable encryption of critical systems, data exfiltration via secure protocols like HTTPS/SSL, and automated publication of stolen data on their Data Leak Site (DLS).

The group’s use of legitimate enterprise tools for file transfers complicates detection and prevention efforts.

The ransomware also features advanced evasion mechanisms, such as CAPTCHA filters, to prevent automated monitoring by cybersecurity platforms.

DragonForce affiliates communicate with victims via encrypted channels like TOX IM and PGP keys, ensuring secure negotiations.

The group even provides additional services to affiliates, including decryption of NTLM/Kerberos hashes and direct victim contact services to increase ransom payment pressures.

Implications for Regional Security

According to Resecurity, this incident underscores the vulnerabilities in critical infrastructure across the Middle East.

Saudi Arabia’s prominence as an economic powerhouse makes it an attractive target for ransomware groups seeking high-value payouts.

While the Kingdom ranks highly in global cybersecurity indices, gaps in organizational defenses leave many sectors exposed to sophisticated attacks like those from DragonForce.

The attack also raises concerns about potential geopolitical implications.

Cybersecurity experts warn that state-sponsored actors could exploit these vulnerabilities to destabilize economies or escalate regional tensions.

The Middle East’s wealth and geopolitical significance make it a prime target for ransomware groups leveraging dual extortion strategies to encrypt systems while threatening to leak sensitive data.

The DragonForce attack serves as a stark reminder of the urgent need for robust cybersecurity measures across critical sectors.

Organizations must adopt proactive defenses, including vulnerability management, employee training against phishing attacks, and enhanced monitoring of IT systems.

As cyber threats evolve in sophistication and scale, collaboration between governments and private entities will be essential to safeguard national assets and sensitive information from future attacks.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free