Insights, news, education and announcements from PolySwarm

DragonForce Ransomware

Written by The Hivemind | Oct 4, 2024 5:05:42 PM

Related Families: LockBit 3.0, Conti
Verticals Targeted: Business Services, Construction, Retail, Telecommunications, Manufacturing, Mining, Government, Healthcare, Transportation, Energy, Software, Education 

Executive Summary

DragonForce is a ransomware as a service (RaaS) that has significantly evolved in the past year, making it a formidable threat.

Key Takeaways

  • DragonForce is a ransomware as a service (RaaS) that has significantly evolved in the past year, making it a formidable threat. 
  • The original DragonForce variant released in 2023 was based on LockBit 3.0.
  • The latest DragonForce variant, released in July 2024, is a fork of ContiV3.
  • Many of DragonForce’s targets are in critical sectors or are high revenue entities. 

What is DragonForce?

DragonForce is a ransomware as a service (RaaS) that has significantly evolved in the past year, making it a formidable threat. Group-IB recently reported on DragonForce. 

DragonForce ransomware was first observed in August 2023. The original DragonForce variant was based on LockBit 3.0. In June 2024, DragonForce launched a RaaS affiliate program, with affiliates receiving 80% of the paid ransom. In July 2024, a new DragonForce variant emerged. The latest variant is a fork of ContiV3. 

DragonForce has been observed targeting a public facing remote desktop servers and using valid credentials to obtain initial access. To evade detection, DragonForce uses multiple techniques, including BYOVD (Bring your own vulnerable driver) and clearing Windows Event Logs to hide forensic artifacts. For lateral movement, DragonForce uses Cobalt Strike and SystemBC, allowing them to harvest credentials and maintain persistence. 

DragonForce targets a variety of verticals, including business services, construction, retail, telecommunications, manufacturing, mining, government, healthcare, transportation, energy, software, and education. Most of their victims have been in the US, with others in Europe, Australia, New Zealand, and Canada. Many of DragonForce’s targets are in critical sectors or are high revenue entities. 

DragonForce is customizable, giving affiliates the opportunity to tailor attacks to their victims. This allows threat actors to disable security features, choose encryption parameters, and customize ransom notes. DragonForce uses a double extortion model, demanding a ransom to decrypt encrypted data and threatening to leak stolen data if the ransom is not paid. Earlier this year, DragonForce reportedly published audio recordings of conversations with victims, adding an additional layer of pressure for extortion. 

IOCs

PolySwarm has multiple samples of DragonForce.

 

df903c620508011ca8eb2aaaf9712a526b31a12c800b856cd524ebb3fde854b2

55befb5de5d9bc45978efd1a960ae21ed81e4be9c6521aaeebf8d5884444e3c9

572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b

 

You can use the following CLI command to search for all DragonForce samples in our portal:

$ polyswarm link list -f DragonForce

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.