{
  "name": "DragonForce Ransomware Group is Targeting Saudi Arabia",
  "slug": "dragonforce-ransomware-group-is-targeting-saudi-arabia",
  "description": "DragonForce ransomware has targeted organizations in Saudi Arabia, with a significant data leak from a Riyadh real estate and construction company. The group exfiltrated over 6 TB of data, setting a deadline just before Ramadan. DragonForce operates on a RaaS model, offering high commission rates for affiliates and supporting various platforms. They use advanced techniques, including a customized CAPTCHA filter and encrypted communications. The group's builder offers flexibility in payload configuration, and they leverage legitimate tools for file transfers. DragonForce employs a dual extortion strategy and has been observed using specific CVEs for network infiltration. The targeting of Saudi Arabia raises concerns about critical infrastructure security in the region.",
  "published": "2025-02-27T18:28:58+00:00",
  "created_at": "2025-02-27T18:28:58+00:00",
  "modified_at": "2025-02-28T08:55:55+00:00",
  "created_at_opencti": "2025-02-27T18:28:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-27",
    "construction",
    "dark web",
    "dragonforce",
    "raas",
    "ransomware",
    "real estate",
    "saudi arabia"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion"
      },
      {
        "id": "",
        "name": "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion"
      },
      {
        "id": "",
        "name": "http://kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion"
      },
      {
        "id": "",
        "name": "z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion"
      },
      {
        "id": "",
        "name": "kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion"
      },
      {
        "id": "",
        "name": "dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion"
      },
      {
        "id": "",
        "name": "1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b"
      },
      {
        "id": "",
        "name": "a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91"
      },
      {
        "id": "",
        "name": "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f"
      },
      {
        "id": "",
        "name": "07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492"
      },
      {
        "id": "",
        "name": "a4dfa099e1f52256ad4a3b2db961e158832b739126b80677f82b0722b0ea5e59"
      },
      {
        "id": "",
        "name": "feab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c"
      },
      {
        "id": "",
        "name": "9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de"
      },
      {
        "id": "",
        "name": "330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed5819"
      },
      {
        "id": "",
        "name": "ab7d8832e35bba30df50a7cca7cefd9351be4c5e8961be2d0b27db6cd22fc036"
      },
      {
        "id": "",
        "name": "62cd46988f179edf8013515c44cbb7563fc216d4e703a2a2a249fe8634617700"
      },
      {
        "id": "",
        "name": "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:cedca6ebef254f36",
        "name": "DragonForce",
        "slug": "dragonforce"
      }
    ],
    "intrusion_sets": [
      {
        "id": "a63d97b5-8199-4473-a37a-2ef8956ad332",
        "name": "DragonForce",
        "slug": "dragonforce"
      }
    ],
    "attack_patterns": [
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "31d29704-da1c-47ea-b93f-76d368813bdf",
        "name": "T1560"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2024-21412"
      },
      {
        "id": "",
        "name": "CVE-2024-21893"
      },
      {
        "id": "",
        "name": "CVE-2024-21887"
      },
      {
        "id": "",
        "name": "CVE-2023-46805"
      },
      {
        "id": "",
        "name": "CVE-2021-44228"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Saudi Arabia"
      },
      {
        "id": "",
        "name": "Real Estate"
      },
      {
        "id": "",
        "name": "Construction"
      }
    ]
  },
  "external_refs": [
    "https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia",
    "https://otx.alienvault.com/pulse/67c0bcfa5d5c50c904670867"
  ]
}