If there’s anything ransomware gangs have taught us, it’s that they’ll do whatever it takes to make you pay up. Meet DragonForce, a rising ransomware star that hit the scene in 2023. They decided to spice up the already chaotic ransomware landscape by creating a double cocktail of threats. Think of DragonForce as the Frankenstein of ransomware. They piece together borrowed bits from LockBit and Conti, then top it off with their unique signature features. You know, for that extra “oomph.” Let’s take a look at how DragonForce is redefining Ransomware-as-a-Service (RaaS) with the audacity that only a new generation of cybercriminals could bring.
DragonForce’s Frankenstein Moment: The Two-Headed Ransomware Beast
Imagine a villain wielding not one, but two powerful weapons. DragonForce decided one ransomware variant simply wasn’t enough. Instead, they have a two-pronged strategy: one that involves a customized version of LockBit3.0 and another that uses an amped-up version of ContiV3. Yeah, Conti—that malware that’s been going around getting recycled more often than your grandma’s casserole recipe.
With LockBit’s variant, DragonForce affiliates get the chance to work with several refined options that make their attacks more versatile and effective:
- Encrypting entire corporate networks
- Targeting specific folders
- Choosing how to wrangle security software by using drivers that disable detection processes (because why wouldn’t they want to make defenders’ lives even harder?)
Plus, for good measure, the affiliates can make the ransom notes as customer-friendly—or customer-unfriendly—as they like.
But wait, there’s more! DragonForce’s so-called “original” version of ransomware is actually built off ContiV3 (surprise, surprise). This version includes more advanced customization options and some heavy-lifting tools like Bring Your Own Vulnerable Driver (BYOVD). BYOVD? Sounds fancy. It’s a trick where the attackers bring a driver that’s signed (so it looks legit) but actually is full of holes—holes that make taking down security measures a breeze.
So, here’s the deal—this isn’t a game of cops and robbers; it’s more like DragonForce decided to play a whole new genre with a unique plot twist.
BYOVD: Bring Your Own Weapons
Now, when we said DragonForce loves to “Bring Your Own Vulnerable Driver,” we weren’t kidding. DragonForce uses this tactic to terminate pesky security software like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR). It’s like showing up to a sword fight with a lightsaber. For instance, they’ve used TrueSight.sys (originally part of a legitimate tool called RogueKiller) and RentDrv.sys to disable processes using those drivers. They bring these signed-but-vulnerable drivers into the system to wreak havoc undetected—making them basically the Kevin Bacon of the malware world: quietly there, always making everything worse.
If this wasn’t bad enough, they also have two separate lists for process-killing: one for single-use termination and another for continuous extermination. Just in case security services try to rise from the dead, DragonForce keeps pounding away until they’re really gone. Lovely.
Affiliates Get a Slice of the Pie: RaaS Made Easy
It turns out, DragonForce is also good at franchising. They launched an affiliate program that offers cybercriminals a sweet deal—80% of the ransom paid. For comparison, most affiliate programs in the ransomware industry offer between 60% to 70%, making DragonForce’s offer particularly generous and attractive to potential partners. You’d think they were offering discounts on Amazon Prime memberships! Affiliates get everything they need to launch their own attacks—customized ransomware builders, attack automation tools, and support from the DragonForce family, including 24/7 troubleshooting, step-by-step attack guides, technical assistance to bypass security measures, and specialized tools like network exploit kits that simplify breaching corporate defenses. It’s basically Ransomware-as-a-Service but delivered with all the customer service of a fast-food chain.
Affiliates can even use tools like SoftPerfect Network Scanner to map out networks, and then there’s good old SystemBC, which they use for persistence (a.k.a. making sure they never really leave). The menu of tools is long, but it’s all designed to help affiliates keep doing what they do best—attack, extract, and demand money.
Double Extortion—Because Why Settle for One Crime When You Can Have Two?
What’s worse than getting locked out of your system? Also having your data exposed on the dark web, of course. The double extortion trend—first encrypting data, then threatening to leak it—is a major part of DragonForce’s playbook. They’ve learned from the best, taking a page from the book of the DarkSide and REvil gangs. You don’t just lose access to your files; you lose your peace of mind and whatever’s left of your company’s reputation.
DragonForce is ambitious: in one year, they targeted 82 victims—a majority of which were based in the U.S., while others were in the U.K. and Australia. These countries are attractive targets due to their large economies, critical infrastructure, and the high likelihood of ransom payments from businesses under pressure to maintain operations. They particularly loved poking at the Manufacturing, Real Estate, and Transportation industries, and given the amount of pressure that comes with operational downtime in these sectors, it’s not surprising they would pay up.
Oh, and before you ask, yes, DragonForce does leak data if the ransom isn’t paid—they have their own Dedicated Leak Site (DLS). They even list company details and make it all searchable by name, ID, and ransom status. So, if you’re a competitor wanting to take a peek at a struggling rival’s dirty laundry, well, DragonForce has you covered. Just a tad cynical, but hey, that’s cybercrime for you.
Security Bypass? Sure, They’ve Got Tricks for That
If bypassing your company’s defenses were a sport, DragonForce would be Olympic-level athletes. Aside from the BYOVD trick, they’ve also used SystemBC and Cobalt Strike. Cobalt Strike, originally designed for penetration testing, is like a Swiss Army knife for cybercriminals. They use it for lateral movement, harvesting credentials, and all-around making defenders pull their hair out.
SystemBC works behind the scenes, setting up persistent communication back to command-and-control servers (C2). It’s stealthy, like a teenager sneaking out at night—they slip past the guardrails without making much noise. DragonForce is using SystemBC to maintain a foothold, hide in plain sight, and keep the line open for further operations.
And they’re all about defense evasion. After encrypting files, DragonForce goes ahead and clears the Windows Event Logs, which are crucial for tracking user and system activities, ensuring that forensic investigators are left chasing shadows. Without these logs, it becomes significantly harder to trace the attack timeline or identify how the system was initially compromised. These logs often contain valuable information such as login attempts, application errors, and security alerts, making their deletion a significant obstacle for investigators. It’s like committing a crime and then setting fire to the getaway car—no evidence, no crime scene, no problem.
FAQ: What You Need to Know About DragonForce (Before It’s Too Late)
What is DragonForce Ransomware?
DragonForce is a ransomware group that runs a Ransomware-as-a-Service (RaaS) operation with two key variants of ransomware: a forked LockBit3.0 and an upgraded version of ContiV3. The group leverages techniques like Bring Your Own Vulnerable Driver (BYOVD) and SystemBC to bypass security, and uses double extortion tactics to get paid.
What sectors are most at risk?
Between August 2023 and August 2024, the Manufacturing, Real Estate, and Transportation industries were the biggest targets. DragonForce targeted 82 companies, of which 43 were in the United States. The U.S. is often a prime target for ransomware attacks due to its large number of high-value businesses and critical infrastructure, which can make ransom payments more likely.
How does DragonForce achieve persistence in compromised networks?
DragonForce uses SystemBC for persistence, creating a registry key to ensure it runs upon system boot. Additionally, they use compromised domain accounts to maintain long-term access to target networks.
What tactics do they use to evade detection?
They use BYOVD to bring signed-but-vulnerable drivers that disable security solutions, clear Windows Event Logs to obscure evidence, and use Cobalt Strike and Mimikatz for lateral movement and credential harvesting.
What is the impact of a DragonForce attack?
Victims face double extortion—first, losing access to their encrypted files, and then having the threat of their stolen data being published. Industries like Manufacturing often can’t afford downtime, which is why DragonForce’s ransom demands are often paid.
A Note on Stopping Ransomware—And How to Not Be the Next Victim
Ransomware prevention is like playing defense in a game where your opponents know all your moves. DragonForce uses sophisticated methods like BYOVD, Cobalt Strike, and SystemBC, which are particularly effective because they exploit legitimate tools and vulnerabilities to evade detection and disable security measures. These tactics make it extremely challenging for traditional defenses to recognize and stop them, so companies need to get serious about proactive defense.
Here are a few things that can make life difficult for DragonForce and their affiliates:
- Multi-Factor Authentication (MFA): Make it tougher for compromised accounts to let attackers in.
- Behavioral Detection: Use advanced EDR systems to detect unusual patterns early on.
- Backup Strategies: Regularly back up your data and practice restoring it. Even if they encrypt you, you still have a lifeline.
- Patch Management: If there’s a known vulnerability, patch it. Don’t let BYOVD tactics succeed simply because an outdated driver is in use.
- Security Training: Let’s face it, humans are a weakness—train your employees to recognize suspicious activity, phishing, and social engineering tactics.
Final Thoughts: Lock Your Digital Doors
DragonForce isn’t just here to play; they’re here to make a statement. This aggressive stance is reflected in their brazen attacks and the devastating impact they’ve had on their victims. In another notable case, they attacked a large healthcare provider in Australia, causing significant disruptions to patient services and leaking confidential medical records when the ransom wasn’t paid. In one notable instance, they attacked a major transportation company in the U.K., disrupting operations for nearly a week and leaking sensitive internal communications when the ransom wasn’t paid. For instance, in July 2024, they launched a major attack on a manufacturing company in the United States, leading to days of operational downtime and the exposure of sensitive data on their leak site. Using sophisticated ransomware variants, advanced evasion tactics, and persistence techniques, they’ve taken Ransomware-as-a-Service to the next level. The message? Adapt or be left behind, and for companies, that means bulking up defenses, staying informed, and preparing for the worst.
So, are you ready to defend against the DragonForce? Drop us a comment, share your thoughts, or let us know if you’re already using some of these protective measures. And remember, the best defense against cybercrime is to stay ahead of the criminals—and stay aware.
