A new and formidable ransomware operation known as DragonForce has emerged as a significant cybersecurity threat, targeting critical business infrastructure worldwide since its appearance in late 2023. Operating on a ransomware-as-a-service (RaaS) model, DragonForce equips cybercriminals with a comprehensive toolkit to launch sophisticated attacks, encrypting valuable data while simultaneously exfiltrating sensitive corporate information. This dual-extortion strategy significantly amplifies pressure on victim organizations.
DragonForce’s modus operandi involves not only rendering critical business data inaccessible through encryption but also secretly stealing sensitive information before the encryption process begins. This stolen data is then leveraged as leverage for extortion, with attackers threatening to publish it on dark web leak sites if their ransom demands are not met. This tactic presents a severe challenge for organizations that might otherwise rely on restoring data from backups to recover from an attack.
DragonForce Ransomware Targets Key Sectors with Advanced Capabilities
The ransomware has shown a particular focus on the manufacturing, business services, technology, and construction sectors. Organizations in the United States, United Kingdom, Germany, Australia, and Italy have been identified as experiencing the highest concentration of these attacks. According to analysis by LevelBlue, DragonForce demonstrates remarkable adaptability, continuously refining its operational tools and techniques. This evolution includes transitioning from using dedicated victim sites to maintaining a centralized domain for hosting leaked data, a hallmark of increasingly sophisticated ransomware operations.
A key factor contributing to DragonForce’s danger is its multi-platform capability. The malware is designed to attack a wide range of systems, including Windows, Linux, ESXi, BSD, and NAS appliances. This broad compatibility provides its affiliates with extensive reach across diverse computing environments. The DragonForce service supports various encryption modes, including full, header, and partial encryption, along with customizable options for file selection and delayed-start features, allowing for the timing of attacks to be strategically planned.
Technical Sophistication and Infection Vectors
The ransomware distinguishes itself through its technical sophistication. DragonForce incorporates multithreading capabilities, enhancing the speed of its encryption processes and providing detailed logging to track the progress of these operations. Researchers have noted a notable feature that allows affiliates to conduct “dry runs” without actual encryption, enabling them to test the impact of an attack before full deployment. The group also offers extensive infrastructure support, professing unlimited storage and continuous monitoring, alongside complementary partner services such as professional file analysis and decryption assistance.
During an attack, DragonForce begins by performing network reconnaissance. It scans SMB ports within specified IP ranges to identify vulnerable systems. The ransomware utilizes a mutex identifier that has been previously observed in samples derived from leaked Conti ransomware source code, indicating code reuse from other malware families. Furthermore, it actively deletes volume shadow copies using Windows Management Instrumentation Command-line (WMIC) commands, specifically targeting their deletion, which hinders victims’ ability to recover files from backup snapshots.
Security experts recommend a series of defensive measures to protect against DragonForce and similar threats. Implementing multi-factor authentication across all systems is crucial, alongside maintaining rigorous patch management to close known vulnerabilities. Organizations should regularly back up their data following a documented and tested backup process, as this remains the most reliable recovery method. Additionally, enabling advanced endpoint detection capabilities, deploying anti-ransomware protection with shadow copy preservation, and utilizing application control to prevent the execution of unauthorized software are vital steps in bolstering defenses against these evolving threats.