On June 12, 2026, the ransomware operation DragonForce posted two UAE firms to its dark-web leak site within hours of each other: Al Ishrak Contracting, a Dubai construction company founded in 1975, and Al Shafar GRC, a glass-fibre-reinforced-concrete manufacturer. Both postings landed inside a single 48-hour run that also claimed a Swedish steelmaker and two Hong Kong targets — evidence, per incident trackers, of a group operating at industrial scale rather than picking off individual victims one at a time (Breached.Company). Ransomware.live's UAE tracker now lists 165 claimed victims in the country across all groups, DragonForce among the more active (ransomware.live). Neither Emirati firm has publicly confirmed paying a ransom; under double-extortion tactics, the leak-site posting itself is the pressure point, threatening data release regardless of payment.
The Law on the Books Is Already Severe
The UAE is not under-legislated here. Federal Decree-Law No. 34 of 2021 on Countering Rumours and Cybercrimes, in force since January 2, 2022, criminalises extortion via information networks with up to two years' imprisonment and fines of AED 250,000–500,000 for standard cases, rising to temporary imprisonment of up to ten years where the threat involves a further crime (has.law summary of Decree-Law 34/2021). The federal government's own consumer-facing guidance directs victims of cyber-blackmail to Dubai Police's Al Ameen service, which coordinates with the Telecommunications and Digital Government Regulatory Authority (TDRA) and can escalate to Interpol for cross-border cases (u.ae, Cyber Safety and Digital Security). Separately, the Federal Decree-Law on Personal Data Protection (No. 45 of 2021) requires controllers to report breaches that prejudice individuals' privacy to the UAE Data Office, layering a notification duty on top of the criminal statute (u.ae, Data Protection Laws). On paper, a firm like Al Ishrak sits inside a reasonably complete regime: criminal deterrence, a breach-reporting channel, and a dedicated cyber-blackmail unit.
The steelman for tougher enforcement is real: construction and manufacturing firms hold contractor records, national-infrastructure project data, and government-adjacent contracts: exactly the targets a serious cybercrime regime should protect, and the UAE's National Electronic Security Authority standards and TDRA-run aeCERT exist precisely to raise the floor for such entities.
Why the Statute Doesn't Reach the Attacker
The problem DragonForce exposes isn't statutory leniency, it's reach. DragonForce operates as a self-described "ransomware cartel": rather than forcing affiliates to deploy its own encryptor, it rents out admin panels, negotiation infrastructure, and leak-site hosting to semi-independent crews who brand their own operations. When RansomHub's infrastructure collapsed in April 2025, its affiliates migrated straight into this white-label model, and DragonForce later announced a coordination pact with Qilin and LockBit to share resources and "dictate market conditions" across the ransomware market (The Hacker News). That structure means the operators who touched Al Ishrak's network are very unlikely to be UAE residents, and quite possibly aren't even DragonForce's core developers, just an affiliate borrowing its tooling for a weekend run through Dubai, Gothenburg, and Hong Kong alike. A ten-year maximum sentence under Article 42 has no deterrent value against an actor a UAE court will likely never have jurisdiction over.
The Policy Mistake to Avoid
The temptation after an incident like this is to legislate harder domestically: longer sentences, broader mandatory-reporting rules, stiffer fines on victim companies for insufficient security. That instinct misreads where the gap actually sits. Al Ishrak and Al Shafar GRC are exactly the mid-sized firms — hundreds of employees, not thousands, no in-house SOC — that new compliance burdens land hardest on and deter least. Raising domestic penalties for an offense whose perpetrators are already unreachable mostly raises costs for the victims who get breach-notification obligations layered on top of the attack itself, without adding one unit of deterrence for offshore RaaS cartels who never had to weigh a UAE court date to begin with.
The more proportionate response is enforcement plumbing, not statute rewrites: faster mutual legal assistance and Interpol referral pathways for TDRA and Dubai Police once an affiliate is geolocated, sector-specific threat-intel sharing so construction and manufacturing firms outside the financial-services compliance bubble get the same NESA-grade guidance banks already receive, and continued reliance on aeCERT as a coordination point rather than a new licensing gate. The UAE's cybercrime law already clears the bar international peers use; what it needs now is an enforcement arm capable of following a cartel's affiliate network past its own borders; not a heavier statute aimed at victims who were never the ones setting the terms.