DragonForce Ransomware Emerges as a Global Threat with Dual-Extortion Tactics
A new ransomware operation, DragonForce, has rapidly become a major cybersecurity threat since its debut in late 2023, targeting organizations across multiple industries with advanced encryption and data theft techniques. Operating under a ransomware-as-a-service (RaaS) model, the group equips cybercriminal affiliates with a sophisticated toolkit to execute high-impact attacks.
DragonForce employs a dual-extortion strategy, encrypting critical business data while simultaneously exfiltrating sensitive information. Victims face pressure to pay ransoms under the threat of public leaks on dark web sites, complicating recovery efforts even for those with backups. The group maintains a centralized data leak site (DLS) to host stolen data, evolving from earlier methods that relied on dedicated victim-specific pages.
Targeted Sectors and Regions
The ransomware has primarily struck manufacturing, business services, technology, and construction sectors, with the highest concentration of attacks in the United States, United Kingdom, Germany, Australia, and Italy.
Technical Sophistication and Multi-Platform Capability
DragonForce stands out for its cross-platform functionality, capable of compromising Windows, Linux, ESXi, BSD, and NAS systems. Its features include:
- Multiple encryption modes (full, header, partial) with customizable file targeting.
- Delayed-start attacks to evade detection.
- Multithreading for faster encryption and detailed logging.
- "Dry run" testing to refine attacks before execution.
- Network reconnaissance via SMB port scanning to identify vulnerable systems.
- Mutex identifiers derived from leaked Conti ransomware source code.
- Shadow copy deletion using WMIC commands to block file recovery.
The group also provides unlimited storage, professional file analysis, and decryption support for affiliates, along with a configuration interface for tailored attacks.
Adaptive Tactics and Infrastructure
DragonForce continuously refines its tools, shifting from decentralized victim sites to a centralized domain for hosting leaked data. Its Atom product line further expands its capabilities, reinforcing its position as a persistent and evolving threat.
Security researchers highlight the group’s code reuse from previous malware families and its aggressive anti-recovery measures, making it a formidable challenge for targeted organizations.
Source: https://cybersecuritynews.com/dragonforce-ransomware-attacking-critical-business/
Drakontas LLC cybersecurity rating report: https://www.rankiteo.com/company/drakontas-llc
"id": "DRA1770280407",
"linkid": "drakontas-llc",
"type": "Ransomware",
"date": "12/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Manufacturing',
'Business Services',
'Technology',
'Construction'],
'location': ['United States',
'United Kingdom',
'Germany',
'Australia',
'Italy']}],
'attack_vector': 'Ransomware-as-a-Service (RaaS)',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive business data',
'Personally identifiable '
'information']},
'date_detected': 'late 2023',
'description': 'A new ransomware operation, DragonForce, has rapidly become a '
'major cybersecurity threat since its debut in late 2023, '
'targeting organizations across multiple industries with '
'advanced encryption and data theft techniques. The group '
'employs a dual-extortion strategy, encrypting critical '
'business data while exfiltrating sensitive information, and '
'maintains a centralized data leak site (DLS) to host stolen '
'data.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data leaks',
'data_compromised': 'Sensitive business data, personally '
'identifiable information',
'identity_theft_risk': 'High (due to exfiltrated sensitive data)',
'operational_impact': 'Critical business data encryption, '
'potential data leaks',
'systems_affected': ['Windows', 'Linux', 'ESXi', 'BSD', 'NAS']},
'motivation': 'Financial gain, data extortion',
'post_incident_analysis': {'root_causes': 'Advanced ransomware toolkit, '
'dual-extortion tactics, '
'cross-platform functionality, code '
'reuse from previous malware '
'families'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'DragonForce'},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': 'DragonForce',
'title': 'DragonForce Ransomware Emerges as a Global Threat with '
'Dual-Extortion Tactics',
'type': 'Ransomware'}