Researchers have successfully broken down the DragonForce ransomware, a sophisticated threat that has transitioned from underground forums to a full-fledged Ransomware-as-a-Service (RaaS) operation. This newly identified RaaS group is actively targeting both Windows and VMware ESXi environments, posing a significant risk to organizations globally. The group’s emergence in December 2023 on BreachForums marked its entry into the cybercriminal landscape, utilizing a dark web blog to extort victims and advertise stolen data, signaling a cartel-style operation.
The DragonForce ransomware payload is reportedly built upon leaked code from well-known ransomware families, LockBit 3.0 and Conti, indicating a blend of familiar and novel attack vectors. This synthesis allows for flexible and high-speed encryption across local disks and network shares. Threat actors typically gain initial access by exploiting exposed remote desktop servers, then employ tools such as Cobalt Strike and SystemBC for lateral movement within compromised networks before deploying the ransomware. The impact can range from encrypted file servers and virtual machines to the exfiltration and potential public release of sensitive stolen data.
DragonForce Ransomware: Technical Breakdown and Decryptor Availability
Security firm S2W has provided an in-depth analysis of a custom DragonForce build, noting its advanced obfuscation techniques that hide nearly all strings within the malware. This makes static analysis challenging for security professionals. For encryption, DragonForce employs a combination of ChaCha8 for file content and RSA-4096 for encrypting the session keys, a common yet effective cryptographic approach in modern ransomware. Their research highlights that command-line flags provide affiliates with granular control over attack parameters, including encryption modes for local drives, network shares, or a mixed approach. Affiliates can even tune partial encryption ratios, enabling faster attacks by encrypting only portions of files.
The internal workflow, often referred to as the DragonForce DLS (Data Leak Site), details the process from configuration decryption to the killing of critical processes and the subsequent scrambling of files. This internal documentation provides defenders with crucial insights into the ransomware’s operational lifecycle and potential indicators of compromise.
In a significant development for victims, S2W researchers have also obtained a working decryptor for both Windows and ESXi systems affected by DragonForce. This breakthrough offers some organizations a potential path to recovery without succumbing to ransom demands. The Windows decryptor is designed to identify and restore files with the `.RNP` extension, which are the hallmarks of a DragonForce infection. Similarly, the ESXi version targets files with the `.RNP_esxi` extension that also contain a specific eight-byte magic value, identified as `build_key`, which helps in identifying encrypted virtual machine disks. The decryptor tool maps the complete decryption chain, from loading the RSA private key to parsing metadata and ultimately restoring file integrity.
Encryption and Decryption Workflow of DragonForce
Upon execution, the DragonForce ransomware initiates its attack by decrypting an internal configuration embedded within its payload. This configuration, secured using ChaCha8 encryption, contains vital operational parameters such as the desired encryption mode and the target path for its malicious activities. Researchers have observed common command-line arguments used by affiliates, such as `dragonforce.exe -m net -p C:\ -j 8`. This specific command instructs the malware to target network resources located within the `C:` path, utilizing eight worker threads to accelerate the encryption process.
As the ransomware scans across both local and remote file systems, it is programmed to avoid encrypting core operating system directories and critical system files, thus ensuring the system remains somewhat functional to allow for network communication and post-encryption actions. For larger files, particularly virtual disk images, DragonForce employs a strategy of encrypting only specific chunks of the file rather than the entire content. This optimization significantly reduces the time required for encryption, speeding up the overall attack timeline.
At the conclusion of the encryption process for each targeted file, the ransomware appends approximately 534 bytes of metadata. This metadata contains the ChaCha8 key and nonce used for encrypting the file’s content, alongside flags that record the encryption mode, the partial encryption ratio applied, and the original size of the file. Crucially, this metadata block is encrypted using the RSA public key of the threat actors, ensuring that only they possess the means to decrypt the actual encryption keys and thus restore the affected files.
The availability of the decryptor offers a glimmer of hope for organizations that fall victim to DragonForce. However, the ongoing evolution of ransomware tactics means that vigilance and robust cybersecurity measures remain paramount. Organizations should focus on proactive defense strategies, including regular data backups, network segmentation, timely patching of vulnerabilities, and comprehensive employee security awareness training to mitigate the risks associated with advanced threats like DragonForce. The consistent sharing of technical details by cybersecurity researchers is vital in empowering defenders and providing actionable intelligence against these persistent cyber adversaries.