DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen

A brand new ransomware assault by DragonForce has focused organizations in Saudi Arabia.

The assault, which affected a distinguished Riyadh-based actual property and development agency, resulted within the exfiltration of over 6TB of delicate information.

In keeping with a brand new advisory by Resecurity, menace actors first introduced the breach on February 14, 2025, demanding ransom earlier than publishing the stolen info. The deadline was set for February 27, someday earlier than the beginning of Ramadan.

Superior Information Leak Methods

Following the expiration of the ransom deadline, DragonForce revealed the stolen information by a devoted leak website (DLS), separate from its major platform. 

The ransomware group, which operates on a Ransomware-as-a-Service (RaaS) mannequin, continues to broaden its affiliate community, offering instruments and sources to cyber-criminals in change for a share of ransom funds. Notably, its DLS options superior CAPTCHA mechanisms to forestall automated monitoring by cybersecurity companies.

DragonForce has been lively since December 2023, with its first recognized sufferer being the Coronary heart of Texas Area MHMR Heart. The group has since advanced, leveraging refined encryption methods, TOR-based communications and safe fee strategies, together with Bitcoin wallets and personal chat techniques.

Learn extra on this group: DragonForce Malaysia Group Releases Home windows LPE Exploit and Turns to Ransomware Techniques

Ransom Cost Assortment and Affiliate Community

The group recruits associates by the RAMP underground discussion board, providing one of many highest fee charges within the cybercrime market—as much as 80% of ransom proceeds.

Associates talk by way of TOR-based immediate messaging (TOX) and should show their functionality by demonstrating entry to sufferer networks. To boost safety, DragonForce has tightened its vetting course of after a earlier leak uncovered affiliate URLs.

Associates additionally obtain assist providers, corresponding to:

• ‘Name providers’ for direct sufferer intimidation

• NTLM/Kerberos hash decryption to help post-compromise operations

• A extremely versatile ransomware builder permitting customization of encryption settings

Instruments, Techniques and Exploited Vulnerabilities

DragonForce employs phishing assaults and exploits vulnerabilities in Distant Desktop Protocol (RDP) and Digital Personal Community (VPN) providers to realize preliminary entry.

The group additionally employs twin extortion techniques, encrypting sufferer information whereas threatening to publish stolen info if ransom calls for are unmet. Moreover, DragonForce has been recognized to launch audio recordings of ransom negotiations, rising strain on victims to conform.

“The mix of rich targets, cybersecurity gaps and geopolitical elements make the Center East a lovely area for ransomware teams to use, making these assaults extra worthwhile,” Resecurity wrote.

“The DragonForce ransomware concentrating on KSA and the related information leak from the latest sufferer in KSA underscore the pressing want for enhanced cybersecurity measures to guard important nationwide belongings and delicate info.”