A new ransomware attack by DragonForce has targeted organizations in Saudi Arabia.
The attack, which affected a prominent Riyadh-based real estate and construction firm, resulted in the exfiltration of over 6TB of sensitive data.
According to a new advisory by Resecurity, threat actors first announced the breach on February 14, 2025, demanding ransom before publishing the stolen information. The deadline was set for February 27, one day before the start of Ramadan.
Advanced Data Leak Strategies
Following the expiration of the ransom deadline, DragonForce published the stolen data through a dedicated leak site (DLS), separate from its primary platform.
The ransomware group, which operates on a Ransomware-as-a-Service (RaaS) model, continues to expand its affiliate network, providing tools and resources to cyber-criminals in exchange for a share of ransom payments. Notably, its DLS features advanced CAPTCHA mechanisms to prevent automated tracking by cybersecurity firms.
DragonForce has been active since December 2023, with its first known victim being the Heart of Texas Region MHMR Center. The group has since evolved, leveraging sophisticated encryption techniques, TOR-based communications and secure payment methods, including Bitcoin wallets and private chat systems.
Read more on this group: DragonForce Malaysia Group Releases Windows LPE Exploit and Turns to Ransomware Tactics
Ransom Payment Collection and Affiliate Network
The group recruits affiliates through the RAMP underground forum, offering one of the highest commission rates in the cybercrime market—up to 80% of ransom proceeds.
Affiliates communicate via TOR-based instant messaging (TOX) and must prove their capability by demonstrating access to victim networks. To enhance security, DragonForce has tightened its vetting process after a previous leak exposed affiliate URLs.
Affiliates also receive support services, such as:
-
‘Call services’ for direct victim intimidation
-
NTLM/Kerberos hash decryption to aid post-compromise operations
-
A highly flexible ransomware builder allowing customization of encryption settings
Tools, Tactics and Exploited Vulnerabilities
DragonForce employs phishing attacks and exploits vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services to gain initial access.
The group also employs dual extortion tactics, encrypting victim data while threatening to publish stolen information if ransom demands are unmet. Additionally, DragonForce has been known to release audio recordings of ransom negotiations, increasing pressure on victims to comply.
“The combination of wealthy targets, cybersecurity gaps and geopolitical factors make the Middle East an attractive region for ransomware groups to exploit, making these attacks more profitable,” Resecurity wrote.
“The DragonForce ransomware targeting KSA and the associated data leak from the recent victim in KSA underscore the urgent need for enhanced cybersecurity measures to protect vital national assets and sensitive information.”