DragonForce is the most recent ransomware model to maneuver from noisy discussion board posts to full RaaS operations, focusing on each Home windows and VMware ESXi environments.
First seen in December 2023 on BreachForums, the group advertises stolen knowledge and makes use of a darkish net weblog to stress victims. The early leak put up revealed the brand new cartel-style operation.
The group constructed its payload from leaked LockBit 3.0 and Conti code, however tuned it for versatile, high-speed encryption throughout native disks and community shares.
Operators normally achieve entry by way of uncovered distant desktop servers, then use instruments like Cobalt Strike and SystemBC to maneuver laterally earlier than launching the ransomware. Impression ranges from encrypted file servers and digital machines to stolen knowledge ready for public launch.
Publish uploaded to BreachForums (Supply – Medium)
S2W analysts recognized a customized DragonForce construct that hides practically all strings with a home-grown deobfuscation routine and depends on ChaCha8 plus RSA-4096 for file encryption.
Their analysis exhibits that command-line flags let associates select native, network-only, or blended modes, and even tune partial encryption ratios to hurry up assaults. Whereas its DLS exhibits the inner workflow from configuration decryption to course of killing and file scrambling.
DragonForce’s DLS as of December 2023 (Supply – Medium)
Throughout wider menace searching, S2W researchers obtained a working decryptor for each Home windows and ESXi programs, giving some victims a path to restoration with out paying ransom.
The Home windows device seems to be for recordsdata with the .RNP extension, whereas the ESXi model checks for .RNP_esxi recordsdata that additionally finish with a selected eight-byte magic worth known as build_key. Moreover this it maps the total decryption chain from RSA key loading to metadata parsing and file restoration.
DragonForce — we invite you to affix our household (Supply – Medium)
This entire technical breakdown offers defenders perception into DragonForce instruments and restoration choices.
Encryption and Decryption Workflow
On execution, the ransomware first decrypts its inner configuration utilizing ChaCha8, then reads choices reminiscent of encryption mode and goal path.
Publish asserting the migration of the RansomHub infrastructure to DragonForce (Supply – Medium)
A typical command seen by S2W analysts is dragonforce.exe -m internet -p C: -j 8, which tells the malware to hit community targets beneath that path with a number of employee threads.
DragonForce Ransomware Execution Movement (Supply – Medium)
Because it scans native and distant paths, DragonForce skips core system areas, then encrypts chosen recordsdata. For giant digital disk photographs it encrypts solely chunks as a substitute of the entire file to save lots of time.
On the finish of every file it writes 534 bytes of metadata with an RSA-encrypted ChaCha8 key and nonce plus flags that retailer mode, ratio, and unique dimension.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
