Ransomware Builds Against Saudi Construction Firms – Dark Reading

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and Informa
Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Cybercriminals are ramping up their efforts in the Kingdom and targeting more than just petroleum firms; now, they’re aiming for Middle East organizations in the IT, government, construction, and real estate sectors too.
March 6, 2025
A recent ransomware attack has compromised a construction firm in Saudi Arabia, underscoring the increasing risk facing everyday organizations in the Middle East, as more cybercriminal and ransomware-as-a-service (RaaS) groups flock to the region.
On Feb. 14, the "DragonForce" RaaS group posted an announcement to its data-leak site warning the Saudi construction firm Al Bawani that the company had been compromised. It claimed to have stolen about 6TB worth of data, according to Resecurity, a cybersecurity service provider.
After the ransomware group posted the data leak, it gave the company two weeks to pay, as seen in a screenshot posted by Resecurity. After the company failed to pay, the attackers released a tranche of data, including photographs and plans for an airbase, an air warfare facility, a data center, and hotels, the cybersecurity firm stated.
Motivation for the attack is unclear. While geopolitics often plays a role in attacks in the region, the origin of the DragonForce ransomware-as-a-service group largely remains a mystery. While there is a group in Malaysia using the same name, that group has reportedly refuted any connection, maintaining that they are focused on exposing oppression, not cybercriminals profits.
Resecurity discovered some telltale indicators that suggest the group could have links to China or Iran, but those links are not definitive and attribution remains elusive, says Yoo. The indicators could easily just indicate that the affiliates of the organization may have links to either China or Iran, he says.
Related:North Korea’s Kimsuky Taps Trusted Platforms to Attack South Korea
"After we performed reverse engineering of the malicious payloads used by DragonForce, [we] found signatures written in Chinese [and] one of the C2 servers used by them at an early stage of operations was located in Iran," Yoo says. "Such groups have a wide network of affiliates and strong cooperation with other cybercriminal syndicates."

Screenshot of data-leak site entry showing Al Bawani compromise. Source: Resecurity
Screenshot of data-leak site entry showing Al Bawani compromise. Source: Resecurity

Al Bawani is not alone: The RansomHub group is known to have targeted a least two other real-estate and construction firms, and the AlphV/BlackCat gang compromised construction firm Arail all the way back in 2023, Resecurity stated.
Recently, ransomware groups appear to be increasing their targeting of such firms in the region, says Gene Yoo, CEO of Resecurity.
"Recent incidents indicate a significant increase in ransomware attacks across the region, with the trend being driven by the rise of RaaS models," he says. "The healthcare, finance, energy and construction, and real estate sectors are particularly attractive to cybercriminals due to the sensitive nature of their data and the critical services they provide, as well as probability of potential payout due to significant investments behind it."
Related:Basket of Bank Trojans Defraud Citizens of East India
The first two months of the year have seen 63 ransomware attacks conducted by LockBit, RansomHub, and other groups targeted organizations in the region, with construction and real estate firms the third-most-targeted organizations, indicating a shift in cybercriminal strategies, says Alexey Lukatsky, managing director and cybersecurity business consultant for cybersecurity firm Positive Technologies.
"The rise of RaaS platforms has lowered the entry barrier for cybercriminals, leading to a surge in attacks," he says. "In the Middle East and Africa region, information from 205 companies appeared on ransomware data leak sites — a 68% increase from the previous year."
Some of the attacks in the sector also show geopolitical and cybercriminal interests aligning, he says: "Hacktivist groups active in the Middle East due to the current geopolitical situation are increasingly using ransomware in their operations."
Related:Russian APT Phishes Kazakh Gov’t for Strategic Intel
That's not to say that other sectors shouldn't worry: IT service providers have also been a popular target because a single breach can allow a ransomware group to impact downstream business customers, while a quarter of attacks have targeted government agencies using both ransomware and more destructive wipers, according to Positive Technologies.
Saudi Arabia is not alone, either. The United Arab Emirates (UAE) continues to be the most targeted nation in the region. In the past year, 36 attacks on organizations in the Saudi Arabia region have been posted to data leak sites, while 54 organizations in the UAE suffered attacks, according to the tracking site Ransomware.live.
Read more about:
Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.
Boosting Threat Detection w/AI and Machine Learning
Best Practices for Applying Threat Intelligence Information
DR, SIEM, SOAR, and MORE: How to Determine the Right Endpoint Strategy for Your Enterprise
What is the Right Role for Identity and Access Management in Your Enterprise?
Today’s Top Cloud Security Threats
[Conference] Black Hat USA – August 2-7 – Learn More
[Conference] Black Hat Asia – April 1-4 – Learn More
[Dark Reading Virtual Event] Cybersecurity’s Most Promising New and Emerging Technologies
You May Also Like
Boosting Threat Detection w/AI and Machine Learning
Best Practices for Applying Threat Intelligence Information
DR, SIEM, SOAR, and MORE: How to Determine the Right Endpoint Strategy for Your Enterprise
What is the Right Role for Identity and Access Management in Your Enterprise?
Today’s Top Cloud Security Threats
Frost Radar: Cloud Security Posture Management, 2024
Secure remote access. Simplified.
4 Best Practices for Hybrid Security Policy Management
Social Engineering: New Tricks, New Threats, New Defenses
Understanding Social Engineering Attacks and What To Do About Them
[Conference] Black Hat USA – August 2-7 – Learn More
[Conference] Black Hat Asia – April 1-4 – Learn More
[Dark Reading Virtual Event] Cybersecurity’s Most Promising New and Emerging Technologies
Copyright © 2025. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.