DragonForce Ransomware: A Growing Threat to Global Business

By Riley ThompsonTechnology News

DragonForce: A Shadow Looming Over Business

A new report from Group-IB highlights that, starting in 2024, the impact of ransomware attacks is only set to increase. The growing complexity of these attacks is driven by the rise of the Ransomware-as-a-Service (RaaS) market, the spread of stolen data on specialized sites, and an increase in affiliate programs.

The most notable trend in the ransomware landscape is the emergence of the DragonForce group, first discovered in August 2023. Initially, the hackers used leaked LockBit 3.0 code, but by July 2024, they had developed their own malware variant based on this leak. The group’s arsenal also includes a modified version of Conti with enhanced features.

DragonForce stands out for its RaaS model, which allows partners to use ready-made software for attacks and keep 80% of the ransom. Their tactics rely on double extortion: after encrypting data, they threaten to publish the stolen information if the victim doesn’t pay up.

DragonForce’s Methods and Tools

Since June 2024, DragonForce has launched an affiliate program on the underground RAMP forum, offering tools for attack management and automation, as well as the ability to create unique virus versions.

The group actively uses the BYOVD (Bring Your Own Vulnerable Driver) technique to bypass security measures, disabling security processes and evading detection. After encrypting data, the cybercriminals also clear Windows event logs, making post-incident analysis more difficult.

Scope and Geography of Attacks

Between August 2023 and August 2024, DragonForce attacked 82 companies across various sectors, with manufacturing, real estate, and transportation being the most affected. Most attacks targeted the United States (52.4%), the United Kingdom (12.2%), and Australia (6%). Notable past incidents include breaches of the Ohio state lottery systems and the government of Palau.

Additional Tools in Use

In addition to LockBit 3.0 and Conti, DragonForce employs other tools such as the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral movement within networks.

Expert Assessment

Experts describe DragonForce as a “serious adversary” due to its focus on key industries and use of advanced tools and tactics. Currently, Group-IB does not link DragonForce’s attacks to any specific country or group, though previous research has suggested a possible origin in Malaysia.

Leave a Reply