Dragon RaaS Leading “Five Families” Crimeware with New Initial Access & Exploitation Tactics

Dragon RaaS, a ransomware group known for its blend of hacktivism and cybercrime, has emerged as a significant player in the “Five Families” crimeware syndicate.

This group, which includes ThreatSec, GhostSec, Blackforums, and SiegedSec, has been making waves since its inception in July 2024 as an offshoot of the Stormous group.

Dragon RaaS markets itself as a sophisticated Ransomware-as-a-Service (RaaS) operation, though its attacks often focus on defacements and opportunistic strikes rather than large-scale ransomware extortion.

Origins and Evolution

Dragon RaaS’s origins are deeply rooted in the pro-Russian Stormous group, which gained notoriety for targeting organizations perceived as hostile to Russia.

Stormous is part of the broader “Five Families” syndicate, which has been involved in various ransomware operations, including GhostLocker and StormCry.

In July 2024, Dragon RaaS launched its Telegram channel, announcing a forthcoming ransomware platform.

The group’s first substantive postings occurred in October 2024, with the announcement of a ransomware attack against Al-Saeeda University in Yemen.

This marked the beginning of Dragon RaaS’s active campaign, which continues to target smaller organizations with weak security postures, primarily in the United States, Israel, the United Kingdom, France, and Germany.

Initial Access and Exploitation Methods

Dragon RaaS employs a range of tactics to gain initial access to target systems.

These include exploiting vulnerabilities in public-facing applications, brute-force credential attacks, and leveraging compromised credentials from infostealer logs.

The group frequently targets WordPress themes and plugins, LiteSpeed HTTP servers, and cPanel interfaces.

Specific vulnerabilities exploited by Dragon RaaS include those in the Porto WP Theme (CVE-2024-3806 to CVE-2024-3809) and LiteSpeed HTTP servers (CVE-2022-0073 and CVE-2022-0074).

Once access is gained, Dragon RaaS deploys a PHP webshell that provides backdoor functionality and persistent ransomware capabilities.

According to SentinelOne Report, this webshell allows attackers to manipulate and encrypt files using methods such as OpenSSL, XOR, or mCrypt.

To protect against Dragon RaaS and similar groups, organizations should prioritize securing public-facing applications by regularly updating and patching services like WordPress and cPanel.

Implementing strong password policies, including multi-factor authentication, is also crucial.

Deploying advanced endpoint security solutions can help detect and prevent malicious tactics, techniques, and procedures (TTPs) associated with these groups.

Monitoring for indicators of compromise and auditing systems for suspicious webshell activity are essential steps in maintaining a robust security posture.

By focusing on these measures, organizations can significantly reduce their vulnerability to Dragon RaaS and other crimeware syndicates.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free