The DragonForce ransomware group has recently targeted organizations in the Kingdom of Saudi Arabia, resulting in the significant exfiltration of over 6 TB of confidential data from a major real estate and construction firm. The incident highlights a worrying trend of cyber threats against critical infrastructure in the region, indicating a potential expansion beyond the MENA area. Urgent cybersecurity measures are needed to safeguard sensitive information and national assets. Affected: Kingdom of Saudi Arabia, real estate and construction sectors.
Keypoints :
- DragonForce ransomware targeted a large KSA enterprise for the first time.
- Over 6 TB of sensitive data was leaked, including internal documents and financial records.
- The attack highlights a trend of increasing cyber threats against critical infrastructure in the MENA region.
- Real estate and construction sectors are particularly attractive to cybercriminals due to their complex IT infrastructures and valuable data.
- DragonForce employs a Ransomware-as-a-Service (RaaS) model, offering high commission rates to affiliates.
- The group utilizes advanced methods for data encryption and exfiltration, making detection difficult.
- They offer strong technical support and have implemented strict vetting processes for their affiliates.
- DragonForce operates on the TOR network and has introduced advanced payload builders for affiliates.
- They have begun using phishing and exploiting vulnerabilities to gain access to networks.
MITRE Techniques :
- Initial Access (T1190): Gaining access through exploiting vulnerabilities.
- Execution (T1204): Using phishing emails to execute malicious payloads.
- Defense Evasion (T1070): Implementing methods to avoid detection.
- Discovery (T1082): Identifying system configurations and data.
- Collection (T1560): Collecting sensitive data for exfiltration.
- Impact (T1486): Encrypting files to disrupt business operations.
- Command and Control (T1090): Using TOR for secure communications with victims and affiliates.
Indicator of Compromise :
- [URL] http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion
- [URL] http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd[.]onion
- [MD5] 2915b3f8b703eb744fc54c81f4a9c67f7bdbd180c081fa63ca94f9c22c457376d54bae930b038950c2947f5397c13f84
- [SHA256] 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf9107ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed581962cd46988f179edf8013515c44cbb7563fc216d4e703a2a2a249fe86346177009479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24dea4dfa099e1f52256ad4a3b2db961e158832b739126b80677f82b0722b0ea5e59ab7d8832e35bba30df50a7cca7cefd9351be4c5e8961be2d0b27db6cd22fc036dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986ffeab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c
Full Story: https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia