Date: 03/07/2025
Severity: Critical
Summary
"DragonForce Ransomware Group is Targeting Saudi Arabia" highlights a recent ransomware attack by DragonForce, which targeted organizations in the Kingdom of Saudi Arabia (KSA). A major incident involved a data breach at a prominent Riyadh real estate and construction company. This attack is part of a growing trend of cyber threats in the region, particularly against critical infrastructure and large corporations. The incident serves as a warning for law enforcement and the cybersecurity community, signaling that attacks may spread beyond the MENA region as the group's techniques prove effective.
Indicators of Compromise (IOC) List
URL/Domain | http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion http://kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion |
Hash |
2915b3f8b703eb744fc54c81f4a9c67f
7bdbd180c081fa63ca94f9c22c457376
d54bae930b038950c2947f5397c13f84
1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed5819
62cd46988f179edf8013515c44cbb7563fc216d4e703a2a2a249fe8634617700
9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de
a4dfa099e1f52256ad4a3b2db961e158832b739126b80677f82b0722b0ea5e59
ab7d8832e35bba30df50a7cca7cefd9351be4c5e8961be2d0b27db6cd22fc036
dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f
feab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion" or url like "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion" or userdomainname like "http://kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion" or url like "http://kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion" or userdomainname like "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion" or url like "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion" |
Detection Query 2 |
md5hash IN ("7bdbd180c081fa63ca94f9c22c457376","2915b3f8b703eb744fc54c81f4a9c67f","d54bae930b038950c2947f5397c13f84") |
Detection Query 3 |
sha256hash IN ("a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91","9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507","9479a5dc61284ccc3f063ebb38da9f63400d8b25d8bca8d04b1832f02fac24de","330730d65548d621d46ed9db939c434bc54cada516472ebef0a00422a5ed5819","07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492","1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b","62cd46988f179edf8013515c44cbb7563fc216d4e703a2a2a249fe8634617700","a4dfa099e1f52256ad4a3b2db961e158832b739126b80677f82b0722b0ea5e59","ab7d8832e35bba30df50a7cca7cefd9351be4c5e8961be2d0b27db6cd22fc036","dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f","feab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c") |
Reference:
https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia