Al Bawani DragonForce Ransomware Exfiltrates 7TB Including Defense Documents

• .What: DragonForce ransomware exfiltrated 6.96TB from Saudi contractor Al Bawani.
• .Who: Al Bawani, a major Saudi construction and infrastructure conglomerate.
• .Data Exposed: Airbase plans, defense blueprints, data center schematics, and employee records.
• .Outcome: $20M ransom refused; full dataset published before Ramadan.

The DragonForce ransomware affiliate gained initial access to Al Bawani's network in early February 2025 through means that have not been publicly disclosed.

Once inside, the operators followed the standard dual-extortion playbook: establish persistence, escalate privileges, identify high-value data repositories, stage and exfiltrate data, then deploy encryption.

The exfiltration phase extracted 6.96 terabytes across Al Bawani's file servers, project management systems, and HR databases.

The volume and classification of the stolen data - airbase plans, air warfare facility blueprints, data center schematics - indicate the attackers had broad lateral access across multiple network segments, including those storing defense-related project documentation.

DragonForce issued a $20 million USD ransom demand. Al Bawani refused to pay. DragonForce then published audio recordings of the ransom negotiations - a deliberate humiliation tactic designed to pressure future victims by demonstrating the consequences of refusal.

When the February 27, 2025 deadline expired without payment, DragonForce released the full 6.96TB dataset on its dark web leak site.

The timing was calculated: the release fell one day before the start of Ramadan, when organizational response teams, legal counsel, and government regulators operate at reduced capacity. The dataset was immediately accessible to any actor with a Tor browser.

The publication of the full dataset transformed the incident from a confidential extortion attempt into a permanent, public intelligence exposure.

Airbase plans, perimeter security configurations, and data center network topologies are now available to any state or non-state actor with adversarial intent toward Saudi critical infrastructure.

Unlike personal data that can be rotated or reissued, physical security configurations derived from architectural blueprints cannot be changed without demolition and reconstruction.

• .Photographs and architectural plans for an airbase, including facility layouts and perimeter security configurations
• .Air warfare facility plans containing technical specifications and structural engineering details
• .Data center schematics including power distribution, cooling systems, network topology, and physical security measures
• .Employee records including personal identification documents, employment contracts, and HR files
• .Client identification documents and project correspondence spanning multiple government and private-sector contracts

DragonForce operates as a Ransomware-as-a-Service (RaaS) platform, offering affiliates an 80% commission. The timing of the data release--one day before Ramadan--was likely deliberate, as organizational response capabilities are typically diminished during holiday periods.

The data center schematics reveal physical and logical architecture of facilities that host critical systems, transforming theoretical vulnerabilities into actionable intelligence.

This breach occurred five months after Saudi Arabia's PDPL entered full enforcement on September 14, 2024. The defense-sector documents raise questions beyond the PDPL's personal data framework--airbase plans and warfare facility blueprints are governed by classified information regulations and the Anti-Cyber Crime Law.

The maximum PDPL penalty is SAR 5 million per violation, with the possibility of doubling for repeat offenses. No public enforcement action by SDAIA has been announced.

A ransomware affiliate exfiltrated 6.96 terabytes of data - including defense facility blueprints and airbase plans - from one of Saudi Arabia's largest construction conglomerates. The data is now permanently public.

The ransom was refused, but the damage was done before anyone negotiated. The kill chain that enabled this outcome followed the well-documented dual-extortion playbook: initial access, lateral movement, data staging, exfiltration, then encryption.

Every phase of that chain had a control point where the attack could have been detected, contained, or rendered ineffective. None of those controls activated.

The volume of exfiltrated data - nearly 7 terabytes - reveals the absence of Data Loss Prevention (DLP) controls at network egress points. Exfiltrating terabytes of data from a corporate network is not a silent operation.

It requires sustained, high-bandwidth transfers to external destinations over hours or days.

DLP solutions from Symantec, Forcepoint, or Zscaler inspect outbound traffic for sensitive content patterns - document classifications, architectural drawing file types, personally identifiable information - and block or alert on transfers exceeding defined thresholds.

A policy that flags any outbound transfer exceeding 500 megabytes to an unclassified external destination would have detected the exfiltration during the first hour of staging.

The difference between detecting a 500MB transfer and discovering a 7TB leak is the difference between an incident and a national security exposure.

The breadth of the stolen data - spanning defense projects, employee HR files, client documents, and data center schematics - indicates the attacker moved laterally across multiple network segments without restriction.

Network segmentation isolates sensitive project environments from general corporate infrastructure.

Defense-related project data, classified facility designs, and government contract documentation should reside on air-gapped or heavily restricted network segments accessible only through jump servers with multi-factor authentication and session recording.

If the defense project data had been segmented from the corporate network, the attacker's access to employee records and general correspondence would not have automatically granted access to airbase blueprints.

Microsegmentation platforms from Illumio, Guardicore (now Akamai), or VMware NSX enforce least-privilege network access at the workload level, preventing east-west movement even after a perimeter breach.

The exfiltrated data included data center schematics showing power distribution, cooling systems, network topology, and physical security measures. These documents transform theoretical vulnerabilities into actionable physical attack intelligence.

Sensitive infrastructure documentation of this classification should be stored in encrypted repositories with access controls enforced through Privileged Access Management (PAM).

CyberArk, BeyondTrust, or Delinea vault sensitive documents and provide access only through authenticated, recorded sessions.

Document-level encryption using Microsoft Azure Information Protection or Vera (now HelpSystems) ensures that even if files are exfiltrated, they remain encrypted and unreadable without the decryption key.

The attacker would have obtained encrypted blobs instead of readable blueprints.

DragonForce released the dataset one day before Ramadan - a calculated timing decision that exploited reduced organizational response capacity during a major holiday period. Incident response planning must account for adversary awareness of operational tempo.

Automated detection and response capabilities - Security Orchestration, Automation, and Response (SOAR) platforms such as Palo Alto XSOAR, Splunk SOAR, or IBM QRadar SOAR - ensure that critical alerts trigger automated containment actions regardless of whether human analysts are available.

Pre-authorized playbooks that automatically isolate compromised hosts, block suspicious outbound connections, and escalate to on-call personnel eliminate the dependency on manual response during reduced-staffing periods.

An organization handling defense-sector data cannot afford a response model that degrades during foreseeable calendar events.

Resecurity, Hackmanac, Dark Reading, Infosecurity Magazine, Security Affairs