DragonForce Ransomware Expands RaaS, Targets Firms Worldwide


DragonForce ransomware is expanding its RaaS operation and becoming a global cybersecurity threat against businesses. Companies must implement strong cybersecurity strategies to defend against this growing ransomware attack and avoid becoming victims.

Ransomware attacks are growing, leaving organizations vulnerable to new and more sophisticated threats. According to Group-IB’s Hi-Tech Crime Trends 2023/2024 report, ransomware incidents could cause even greater damage in 2024.

One of the most significant emerging threats is the DragonForce ransomware group, which leverages a Ransomware-as-a-Service (RaaS) affiliate program, employing variants of well-known ransomware families to wreak havoc on targeted industries.

DragonForce: A Dual-Ransomware Threat

The DragonForce ransomware group emerged in August 2023, deploying a variant based on LockBit 3.0, a notorious ransomware strain. However, by July 2024, the group introduced a second variant, initially claimed to be their original creation but later found to be a fork of ContiV3 ransomware. These dual ransomware versions are used to exploit vulnerabilities in companies, particularly in sectors like manufacturing, real estate, and transportation.

Screenshot of the LockBit version of the DragonForce ransomware

DragonForce’s attack strategy revolves around double extortion—encrypting data and threatening to leak it unless a ransom is paid. This adds immense pressure on victims to comply, fearing not only operational disruption but also the reputational damage that could arise from exposed sensitive information.

Advanced Tactics for Maximum Damage

According to Group-IB’s research shared with Hackread.com ahead of publication on Wednesday, the DragonForce ransomware gang’s operations are highly customizable, allowing affiliates to configure attacks based on the type of victim.

With its RaaS affiliate program, launched on June 26, 2024, DragonForce ransomware offers attackers the ability to personalize ransomware payloads. Affiliates can disable security features, set encryption parameters, and even customize ransom notes. In return, affiliates receive 80% of any ransom collected.

DragonForce employs a variety of advanced techniques for evasion and persistence. One of their key tactics is “Bring Your Own Vulnerable Driver” (BYOVD), where affiliates use vulnerable drivers to disable security processes and evade detection. Additionally, they clear Windows Event Logs after encryption to hinder forensic investigations.

For lateral movement, the group uses tools like Cobalt Strike and SystemBC, both of which allow them to harvest credentials and persist in networks. They also use network scanning tools like SoftPerfect Network Scanner to map out networks, helping spread the ransomware to as many devices as possible.

Targeted Attacks and Global Reach

Between August 2023 and August 2024, DragonForce listed 82 victims on its dark web leak site. Most attacks were concentrated in the U.S. (52.4%), followed by the U.K. and Australia. The manufacturing sector suffered the highest number of attacks, with real estate and transportation industries close behind.

In addition to their use of ContiV3 and LockBit variants, DragonForce’s ability to adapt to new affiliate demands makes them a rapidly growing threat. By targeting high-revenue companies and critical sectors, they continue to increase their foothold in the cybercrime infrastructure.

DragonForce Ransomware Expands RaaS, Targets Firms Worldwide

What Can Businesses Do?

To combat these sophisticated attacks, businesses need to adopt more proactive and layered security measures. Here are some critical steps:

  • Multi-Factor Authentication (MFA): Adding additional authentication layers makes it harder for attackers to compromise credentials.
  • Early Detection: Use behavioural detection tools such as Endpoint Detection and Response (EDR) to identify suspicious activity early.
  • Backup Strategy: Regular backups reduce the impact of ransomware by ensuring data can be recovered without paying ransom.
  • Patch Vulnerabilities: Regularly patching known vulnerabilities prevents ransomware from exploiting outdated systems.
  • Employee Training: Training employees to recognize phishing and other malicious tactics can prevent initial infiltration.
  • Avoid Paying the Ransom: Paying ransom often leads to more attacks, as it signals vulnerability to other cybercriminals.

While DragonForce ransomware expands its RaaS operation, businesses must remain alert and implement proper cybersecurity strategies to avoid becoming victims of this and other dangerous threats.

  1. New Kransom Ransomware Disguised as Game
  2. $75 Million Ransom Paid to Dark Angels Ransomware Group
  3. Play Ransomware Variant Targeting Linux ESXi Environments
  4. PythonAnywhere Cloud Platform Abused for Hosting Ransomware
  5. Qilin Ransomware Upgrades – Now Steals Google Chrome Credentials





Source link