Insights, news, education and announcements from PolySwarm

Ransomware Attacks Ramping Up in the Middle East

Written by The Hivemind | Mar 7, 2025 6:47:01 PM

Related Families: DragonForce, RansomHub, LockBit
Verticals Targeted: Construction, Real Estate, Financial 

Executive Summary

Recent industry reporting highlights the ransomware threats faced by various entities in the Middle East. DragonForce ransomware was recently observed targeting a real estate and construction company in Saudi Arabia. However, this is only the tip of the iceberg, as entities in the Middle East, particularly financial services entities in Saudi Arabia and the UAE, are also being heavily targeted by ransomware.

Key Takeaways

  • Recent industry reporting highlights the ransomware threats faced by various entities in the Middle East. 
  • DragonForce ransomware was recently observed targeting a real estate and construction company in Saudi Arabia. 
  • Other entities in the Middle East, particularly financial sector entities in Saudi Arabia and the UAE, are also being heavily targeted by ransomware. 

DragonForce Targets Real Estate and Construction Company

In an incident targeting a real estate and construction company, DragonForce reportedly stole over 6TB of data. The ransomware group began extorting the victim on February 14th and set the ransom deadline for February 28th. Since the ransom was not paid by the established deadline, DragonForce leaked the stolen data. 

DragonForce likely chose this particular target for several reasons. First, construction is one of the most prominent non-oil-related economic drivers in Saudi Arabia, with infrastructure projects in the multi-billion dollar range. Second, real estate and construction entities typically have a broad attack surface due to interconnected systems and reliance on third-party vendors. Third, the trove of data that can be stolen from such a target includes not only property details but also financial records and client information. 

What is DragonForce?

DragonForce is a ransomware-as-a-service (RaaS) that has significantly evolved in the past year, making it a formidable threat. DragonForce ransomware was first observed in August 2023. The original DragonForce variant was based on LockBit 3.0. In June 2024, DragonForce launched a RaaS affiliate program, with affiliates receiving 80% of the paid ransom. Many of DragonForce’s targets are in critical sectors or are high revenue entities. 

DragonForce has been observed targeting public facing remote desktop servers and using valid credentials to obtain initial access. To evade detection, DragonForce uses multiple techniques, including BYOVD (Bring your own vulnerable driver) and clearing Windows Event Logs to hide forensic artifacts. For lateral movement, DragonForce uses Cobalt Strike and SystemBC, allowing them to harvest credentials and maintain persistence. Vulnerabilities exploited by DragonForce include CVE-2021-44228, CVE-2023-46805, CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893.

DragonForce is customizable, giving affiliates the opportunity to tailor attacks to their victims using an advanced payload builder. This allows threat actors to disable security features, choose encryption parameters, and customize ransom notes. As demonstrated in the attack noted above, DragonForce uses a double extortion model, demanding a ransom to decrypt encrypted data and threatening to leak stolen data if the ransom is not paid. 

Ransomware Threats to the Financial Sector in the Middle East

Financial sector entities are among the most targeted by ransomware in the Middle East, with over 20% of ransomware attacks in the region targeting financial entities. Ransomware operators target Middle Eastern financial institutions for compelling strategic and economic reasons, rooted in the region’s unique profile. Multiple financial services entities in the region recently conducted a wargaming exercise in the UAE to increase preparedness against these attacks.

The financial incentive to target these entities is substantial. The Middle East hosts significant wealth, particularly in Gulf nations such as Saudi Arabia, the UAE, and Qatar, where oil revenues and robust banking sectors drive a regional GDP exceeding $4.5 trillion. Technological disparities amplify the opportunity. While certain hubs like Dubai lead in fintech innovation, many regional financial systems rely on legacy infrastructure—outdated software and insufficient security protocols. 

The most active ransomware groups targeting financial entities in the Middle East include RansomHub and LockBit. However, there were also a significant number of ransomware attacks in the past year from ArcusMedia, Cicada3301, Daixin, DarkVault, Eldorado, HuntersInternational, KillSec, Lynx, Medusa, Qilin, RansomEXX, Pryx, RA World, Rhysida, Snatch, SpaceBears, and Underground ransomware families. 

IOCs

PolySwarm has multiple samples of DragonForce.

 

df903c620508011ca8eb2aaaf9712a526b31a12c800b856cd524ebb3fde854b2

55befb5de5d9bc45978efd1a960ae21ed81e4be9c6521aaeebf8d5884444e3c9

572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b

9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed5819

 

You can use the following CLI command to search for all DragonForce samples in our portal:

$ polyswarm link list -f DragonForce

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post