DragonForce Ransomware Empowers Affiliates with Modular Toolkit to Create Custom Ransomware Payloads

DragonForce ransomware has emerged as one of the most sophisticated threats in the cybercriminal ecosystem, transforming from a hacktivist collective into a mature Ransomware-as-a-Service (RaaS) operation since its debut in December 2023.

The group initially gained notoriety through ideologically driven cyberattacks targeting organizations whose values conflicted with their political stance, but has since pivoted toward purely financial motivations, establishing itself as a dominant player in the global ransomware landscape.

The ransomware’s distinguishing feature lies in its highly modular architecture that empowers affiliates with unprecedented customization capabilities.

Through their sophisticated RaaS platform, DragonForce provides a comprehensive toolkit that enables threat actors to craft tailored ransomware payloads specifically designed for their target environments.

This flexibility has facilitated successful campaigns across diverse industries, with particularly devastating impacts on manufacturing, financial services, and retail sectors spanning North America, Europe, and Asia.

DarkAtlas researchers identified that DragonForce’s technical foundation builds upon the leaked LockBit 3.0 builder, which the group has extensively modified to incorporate advanced evasion capabilities and streamlined deployment mechanisms.

The platform features a customizable payload builder that allows affiliates to modify encryption modules, ransom notes, and lateral movement behaviors according to specific operational requirements.

Additionally, the system includes stealth-optimized encryption algorithms designed to bypass endpoint detection and response solutions, multilingual victim portals for global operations, and comprehensive affiliate support including technical documentation.

The group’s revenue model operates on a tiered sharing system that incentivizes more destructive campaigns, creating a competitive environment among affiliates that has contributed to the ransomware’s rapid proliferation.

Their centralized affiliate platform provides each partner with unique control panels featuring revenue tracking dashboards, victim management systems, and direct integration with their “DragonLeaks” data leak site for enhanced extortion leverage.

Advanced Evasion and Persistence Mechanisms

DragonForce’s most concerning technical advancement lies in its sophisticated evasion capabilities that combine multiple layers of defense circumvention.

The malware employs intermittent encryption patterns that make detection significantly more challenging for traditional security solutions.

Rather than encrypting files in predictable sequences, the ransomware utilizes randomized encryption intervals that can evade behavior-based detection systems relying on consistent file modification patterns.

The group has integrated the Bring Your Own Vulnerable Driver (BYOVD) technique to disable EDR and XDR protection systems at the kernel level.

This approach involves deploying legitimate but vulnerable drivers that can be exploited to gain elevated privileges and terminate security processes.

The malware package includes SystemBC, a multifunctional backdoor that establishes encrypted command-and-control channels while providing persistent access for reconnaissance activities.

These capabilities are enhanced by anti-analysis mechanisms designed to detect and evade sandbox environments, making forensic investigation significantly more complex for security researchers.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now