DragonForce Hits Conrad Capital: SAMA TPRM Lessons for Saudi Banks

The DragonForce ransomware cartel has added another financial scalp to its data leak site — this time Conrad Capital Management, a US investment advisory firm with deep exposure to high-net-worth client portfolios. With 74.23 GB allegedly exfiltrated and a five-day extortion clock running, the breach is more than another headline. For Saudi banks subject to SAMA CSCC, NCA ECC and PDPL, it is a textbook stress test of third-party risk management (TPRM) and double-extortion readiness.

Inside the DragonForce Attack on Conrad Capital

According to DragonForce's leak portal, the group breached Conrad Capital Management on or around 18 March 2026, exfiltrating 74.23 GB of customer personally identifiable information (PII), portfolio holdings, retirement plan documents and internal financial workpapers. The threat actor issued a five-day negotiation window — a hallmark double-extortion tactic designed to compress incident response decision cycles before regulators and counsel can fully engage. As of publication, Conrad Capital has not publicly confirmed the breach scope or notification status, leaving downstream counterparties to assume the worst.

DragonForce: A Cartel-Style RaaS Player

DragonForce surfaced in late 2023 with hacktivist branding before pivoting to financially motivated ransomware-as-a-service (RaaS) operations in early 2024. The group has now listed more than 363 victims on its data leak site (DLS), with sharp growth since 2025 as it absorbed affiliates from disrupted brands such as RansomHub. Operationally, DragonForce affiliates lean on initial access broker (IAB) listings, abuse of legitimate remote management tools (RMM), Active Directory exploitation via tools like Mimikatz and ADRecon, and increasingly target SimpleHelp, ConnectWise ScreenConnect and exposed VPN appliances for entry. Their playbook fits the modern financial-sector threat profile: identity compromise first, lateral movement second, mass exfiltration before encryption.

What This Means for Saudi Financial Institutions

Saudi banks, capital market institutions and finance companies licensed by SAMA are not insulated from this incident — even if Conrad Capital is not a direct counterparty. SAMA CSCC clause 3.3.15 (Third Party Cyber Security) and the NCA ECC sub-control 4-2 explicitly require continuous due diligence over service providers handling member-institution data. PDPL's data subject notification obligations under Articles 20 and 23 are triggered when any processor or sub-processor in the data chain is compromised, regardless of jurisdiction. Investment advisory, asset management and custody platforms used by Saudi private banking arms, family offices and HNW desks frequently rely on US counterparties with similar architectures to Conrad Capital — making this attack a credible blueprint of what local institutions will face next.

Practical Steps Saudi CISOs Should Take This Week

1. Run an emergency TPRM review of every advisory, custody and portfolio management vendor, focusing on those with administrative access to client data sets above PDPL sensitivity thresholds.
2. Validate that contracts include the SAMA CSCC-aligned 72-hour breach notification clause and right-to-audit language; flag any vendor still using "best effort" notification language.
3. Confirm immutable, segregated backups for portfolio management and CRM data — DragonForce affiliates routinely target Veeam (CVE-2024-40711 patterns) and Commvault repositories before triggering encryption.
4. Hunt proactively for DragonForce TTPs: SimpleHelp and ScreenConnect connections from non-Saudi geolocations, anomalous Mimikatz-style LSASS access, and ADRecon enumeration spikes — map detections to MITRE ATT&CK techniques T1078, T1219 and T1003.
5. Run a 60-minute tabletop exercise simulating a five-day extortion deadline scenario with legal, comms, SAMA liaison and the executive committee — many Saudi banks have IR plans built for ransomware encryption, not pure data-extortion blackmail.
6. Review SOC playbooks for early-stage indicators in the kill chain: initial access via exposed RMM, MFA fatigue against M365 tenants, and Cobalt Strike or Sliver beaconing during business hours.

Conclusion

The Conrad Capital breach is not a US-only story. It is a preview of how a determined RaaS cartel will treat any Saudi-regulated firm that under-invests in TPRM, backup immutability and data-extortion incident response. SAMA CSCC and NCA ECC already require these controls — DragonForce simply audits them on a five-day timer.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on TPRM, ransomware resilience and double-extortion readiness.