As per the GROUP-IB’s threat landscape report, the DragonForce ransomware group emerges as a serious threat. It leverages the Ransomware-as-a-Service (RaaS) affiliate program employing variants of well-known ransomware families to wreak havoc on targeted industries.
The DragonForce ransomware group emerged in August 2023, deploying a variant based on LockBit 3.0. In July 2024, the group introduced a second variant, a fork of ContiV3 ransomware. These dual ransomware versions are used to exploit vulnerabilities in companies, particularly in sectors like manufacturing, real estate, and transportation.
DragonForce’s attack strategy revolves around double extortion, which adds immense pressure on victims to comply, fearing for operational disruption and reputational damage that could arise from exposed sensitive information.
DragonForce’s ransomware offers attackers the ability to personalize ransomware payloads. Affiliates can disable security features, set encryption parameters, and even customize ransom notes. In return, affiliates receive 80% of any ransom collected.
DragonForce incorporate advanced techniques for evasion and persistence. One of their key tactics is Bring Your Own Vulnerable Driver, where affiliates use vulnerable drivers to disable security processes and evade detection and clears Windows Event Logs after encryption to hinder forensic investigations.
DragonForce uses tools like Cobalt Strike and SystemBC for lateral movement, which harvest credentials and persist in networks. They use network scanning tools like SoftPerfect Network Scanner to map out networks, helping spread the ransomware to as many devices as possible.
DragonForce’s ability to adapt to new affiliate demands makes them a rapidly growing threat. The attacks surfaced in the U.S., followed by the U.K. and Australia.
While DragonForce ransomware expands its RaaS operation, businesses must remain alert and implement proper defense in-depth strategies to avoid becoming victims
Very useful information.