DragonForce, a complicated ransomware operation that emerged in fall 2023, has established itself as a formidable menace within the cybercriminal panorama by claiming over 120 victims throughout the previous yr.
In contrast to conventional ransomware-as-a-service fashions, this menace actor has developed into what safety consultants time period a “ransomware cartel,” essentially altering how cybercriminal operations are structured and executed.
The group has demonstrated exceptional adaptability, initially working with ransomware that shared traits with LockBit 3.0 earlier than transitioning to a Conti variant throughout summer time 2024.
DragonForce has strategically focused organizations throughout numerous sectors together with manufacturing, development, expertise, healthcare, and retail, with victims spanning the USA, Italy, and Australia.
Their ransom calls for replicate subtle sufferer analysis, starting from lots of of 1000’s to tens of millions of {dollars}, with one documented case demanding $7 million from a compromised group.
Bitdefender researchers recognized DragonForce’s distinctive operational mannequin, which distinguishes it from standard ransomware teams by way of its cartel-like construction and infrastructure provision companies.
The group gives associates an unprecedented 80% revenue share whereas offering complete operational help together with weblog administration, file servers, admin panels, 24/7 monitoring, and petabytes of storage capability.
This method permits DragonForce to keep up management over allied teams’ sources whereas eliminating potential rivals.
The menace actor has demonstrated regarding geopolitical connections, using Russian-linked infrastructure and dealing with accusations from RansomHub members of associating with the FSB.
Their operational sophistication extends to their knowledge leak web site, which options sufferer listings, stolen knowledge previews, and countdown timers for publication deadlines.
DragonForce banner (Supply – Bitdefender)
Latest actions recommend DragonForce could also be consolidating energy inside the ransomware ecosystem, probably compromising rival teams together with LockBit.
Superior Evasion and Encryption Capabilities
DragonForce employs subtle technical mechanisms that allow persistent entry and complete system compromise.
The group exploits a number of essential vulnerabilities together with CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893 to determine preliminary footholds in goal networks.
Their persistence technique closely depends on Residing Off the Land strategies, leveraging official executables comparable to Schtasks.exe and Taskkill.exe to keep up entry whereas avoiding detection.
The ransomware’s encryption capabilities span a number of platforms with specialised variants for Home windows, Linux, ESXi, BSD, and NAS programs.
Their encryptors help numerous encryption modes together with band-pass, share, header, and regular encryption, with multithreading capabilities for enhanced efficiency.
Upon profitable execution, the malware appends .dragonforce_encrypted extensions to compromised information.
The group has integrated classes from earlier ransomware operations, notably relating to GPU cluster decryption strategies, to strengthen their encryption algorithms and file restoration prevention mechanisms throughout completely different working programs.
Pace up and enrich menace investigations with Risk Intelligence Lookup! -> 50 trial search requests
