Table of Contents
DragonForce Ransomware has rapidly emerged as a significant threat in the cybercrime landscape. Operating as a Ransomware-as-a-Service (RaaS), DragonForce leverages a double extortion strategy, encrypting victims' data and threatening to leak stolen information on the dark web. This article provides a comprehensive overview of DragonForce, examining its origins, tactics, techniques, and procedures (TTPs), target profile, notable attack campaigns, and defense strategies. While exhibiting some unusual behaviors, DragonForce remains a serious threat to organizations worldwide.
Origins & Evolution
DragonForce ransomware first appeared in August 2023. Early versions were based on the leaked LockBit 3.0 builder. This reliance on pre-existing, well-known ransomware families suggests a lower barrier to entry for the group and faster deployment capabilities. By June 26, 2024, DragonForce launched its own RaaS affiliate program, providing its members with customizable tools and an 80% share of ransom payments. More recently, the group transitioned to using a modified version of ContiV3 ransomware.
The identity of the individuals behind DragonForce remains unconfirmed. Some cybersecurity researchers have speculated about a possible connection to the Malaysian hacking group and forum "DragonForce Malaysia." However, this link is unconfirmed and could be intentional misdirection or coincidence. DragonForce Malaysia denied the association on their Telegram channel stating that their goals are entirely different, as they oppose oppression and do not engage in extortion for personal gain. The double ransom note incident in Palau (detailed below) might also suggest limited technical expertise within the group in its early stages.
Tactics & Techniques
DragonForce employs a multi-faceted approach to its attacks, combining well-established ransomware techniques with sophisticated methods to maximize impact:
Double Extortion: This is DragonForce's core tactic. They encrypt victims' data, rendering it inaccessible, and simultaneously exfiltrate sensitive information. They then threaten to publish the stolen data on their dedicated leak site (DLS), "DragonLeaks," if the ransom is not paid.
Ransomware-as-a-Service (RaaS): DragonForce provides its affiliates with a control panel. This panel allows them to customize ransomware samples, adjust encryption settings, disable security features, and personalize ransom notes. This level of customization makes attacks more adaptable and potentially harder to detect with generic signatures.
Initial Access: Common infection vectors include phishing emails with malicious attachments or links, and exploitation of vulnerabilities in Remote Desktop Protocols (RDP) and Virtual Private Network (VPN) solutions. Observed attacks have also involved compromising public-facing web servers using valid domain credentials. One of the common type of attacks is a watering hole attack https://thesecmaster.com/what-is-watering-hole-attack-how-to-prevent-watering-hole-attack.
Persistence: DragonForce uses various techniques to maintain a foothold in compromised networks, including:
* Modifying the Run registry.
* Creating Windows services and scheduled tasks.
* Using the SystemBC backdoor. Windows registry structure https://thesecmaster.com/windows-registry-structure-understanding-keys-values-and-hives-in-windows-registry can be modified to make the system vulnerable..
Credential Theft: The group employs tools like Mimikatz to extract credentials from LSASS memory, enabling lateral movement and privilege escalation.
Lateral Movement: Once inside a network they have used RDP sessions and Cobalt Strike to target other accessible systems.
Reconnaissance: DragonForce utilizes tools like AdFind and "netscanold.exe" for network scanning to identify valuable targets and map the network environment. Threat actors abuse Google Ads https://thesecmaster.com/what-are-google-ads-how-threat-actors-abuse-google-ads-tips-to-spot-fake-google-ads-and-how-you-should-protect-yourselves-from-fake-google-ads for reconnaissance.
Defense Evasion: To avoid detection and hinder analysis, DragonForce employs several techniques:
* "Bring Your Own Vulnerable Driver" (BYOVD) to disable security tools.
* Deleting Windows Event Logs to remove traces of their activity.
* Anti-analysis techniques inherited from Conti (ADVobfuscator, hashed API resolution). DragonForce uses anti-analysis techniques https://thesecmaster.com/exploring-viristotal-online-malware-scanning-tool-for-security-analysts-soc-analyst to evade detection.
System Recovery Prevention: DragonForce deletes shadow copies using COM objects and WMIC commands, making data recovery more difficult.
Unusual Behavior: DragonForce has been known to publish audio recordings of its communications with victims on its leak site. This behavior, which includes phone conversations with front desk employees to pressure companies, suggests a level of desperation or an attempt to gain notoriety.
Code Base: Relies on leaked code from Lockbit 3.0 and ContiV3. This code is designed to leverage advanced encryption https://thesecmaster.com/what-is-symmetric-and-asymmetric-encryption techniques.
Targets or Victimology
DragonForce's targeting strategy appears broad, with no specific limitations on targeted sectors or countries. However, some patterns have emerged:
Industries: Manufacturing, real estate, and transportation have been frequently targeted. Other affected sectors include healthcare, commerce & shopping, business services, education, financial services, government, technology and many others.
Geographic Focus: The United States is the most targeted country, followed by the United Kingdom and Australia. However, victims have been reported in numerous countries, highlighting a global reach.
Victim Profile: DragonForce doesn't appear to discriminate based on organization size, although high-revenue entities and those in critical sectors are likely to be attractive targets due to the potential for larger ransom payments and greater disruption. Companies should know the importance of personal information https://thesecmaster.com/what-is-personal-information-and-how-to-protect-personal-information.
Attack Campaigns
Several notable attack campaigns have been attributed to DragonForce:
Ohio Lottery (December 2023): This was DragonForce's earliest known attack. The group claimed to have stolen over 600 GB of data, including 3 million records containing sensitive information (names, email addresses, SSNs, etc.).
Yakult Australia: DragonForce claimed a breach of 95.19 GB of company data.
Coca-Cola (Singapore): Claimed breach of 413.92 GB of data.
Palau Government: This incident involved ransom notes from both LockBit and DragonForce, with conflicting instructions and non-functional Tor links. DragonForce threatened to release data after negotiations supposedly broke down, but Palauan authorities denied any contact. This incident is particularly unusual and highlights the potential for confusion or misattribution when dealing with leaked ransomware builders. The TOR network structure https://thesecmaster.com/detailed-anatomy-of-the-tor-network-structure-of-the-tor-network has been used by threat actors.
Aussizz Group: DragonForce claimed to have exfiltrated and encrypted nearly 300GB of sensitive data from this educational and migration consultancy.
As of August 2024, the Group-IB has observed 82 victims over the past year. Moveit breach https://thesecmaster.com/moveit-breach-exposes-20-million-employee-data is one of the causes for data exposure.
Defenses
Combating DragonForce ransomware, and ransomware threats in general, requires a multi-layered security approach:
Robust Backup and Recovery: Implement a comprehensive backup strategy, including regular, offline backups. This is crucial for data recovery in the event of a successful encryption attack. Test the restoration process regularly.
Patch Management: Maintain up-to-date software and operating systems. Patch vulnerabilities promptly, especially those in RDP, VPN, and other externally facing services. Patch management strategy https://thesecmaster.com/patch-management-strategy-balancing-security-productivity-and-downtime is important to keep systems up to date.
Network Segmentation: Divide the network into smaller, isolated segments. This limits the lateral movement of attackers and contains the impact of a breach.
Strong Authentication: Enforce strong, unique passwords and multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.
Email Security: Implement robust email filtering and security gateways to detect and block phishing emails. Train employees to recognize and report suspicious emails. Email authentication https://thesecmaster.com/what-is-email-authentication-why-email-authentication-is-important-how-does-email-authentication-work can help block phishing attempts.
Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoints for malicious activity and provide rapid response capabilities.
Security Awareness Training: Regularly educate employees about cybersecurity threats, including phishing, social engineering, and safe browsing habits.
Intrusion Detection and Prevention Systems (IDPS): Deploy and maintain IDPS to monitor network traffic for malicious activity and block known threats.
Threat Intelligence: Leverage threat intelligence feeds to stay informed about the latest ransomware threats, TTPs, and indicators of compromise https://thesecmaster.com/understanding-indicator-of-compromise-ioc (IOCs).
Incident Response Plan: Develop and regularly test an incident response plan https://thesecmaster.com/what-is-cyber-incident-response-plan-what-should-a-cirp-have to ensure a coordinated and effective response to a ransomware attack.
Data Encryption: Protect sensitive data wherever possible.
Reduce Attack Surface: Disable unnecessary services and features. Security misconfiguration is one of the causes of security breach https://thesecmaster.com/security-misconfiguration-the-5-web-application-security-risk
Conclusion
DragonForce ransomware represents a growing threat to organizations across various sectors. While exhibiting some unusual tactics, such as publishing audio recordings of negotiations, the group's core strategy of double extortion and its reliance on leaked, but effective, ransomware code make it a formidable adversary. The RaaS model further amplifies the threat by enabling less-skilled actors to participate in attacks. Organizations must adopt a proactive, multi-layered security approach that includes robust backups, vulnerability management, strong authentication, employee training, and incident response planning to mitigate the risk posed by DragonForce and similar ransomware threats. Continuous vigilance and adaptation to the evolving threat landscape are essential for effective defense. One of the key defense mechanism is to know how to identify vulnerabilities https://thesecmaster.com/blog/key-strategies-to-identify-vulnerabilities.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
International Cybercrime Takedown: Four European Hackers Arrested in Phuket Ransomware Operation
Ransomware Actors Exploit SSH Tunneling to Target VMware ESXi Hosts
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 28, 2025
- February 28, 2025
- February 28, 2025
- February 27, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 28, 2025
- February 28, 2025
- February 28, 2025
- February 27, 2025
