Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems

   January 14, 2026  Posted in CyberSecurityNews

Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems

DragonForce is the latest ransomware brand to move from noisy forum posts to full RaaS operations, targeting both Windows and VMware ESXi environments.

First seen in December 2023 on BreachForums, the group advertises stolen data and uses a dark web blog to pressure victims. The early leak post revealed the new cartel-style operation.

The group built its payload from leaked LockBit 3.0 and Conti code, but tuned it for flexible, high-speed encryption across local disks and network shares.

Operators usually gain access through exposed remote desktop servers, then use tools like Cobalt Strike and SystemBC to move laterally before launching the ransomware. Impact ranges from encrypted file servers and virtual machines to stolen data prepared for public release.

Post uploaded to BreachForums (Source - Medium)
Post uploaded to BreachForums (Source – Medium)

S2W analysts identified a custom DragonForce build that hides nearly all strings with a home-grown deobfuscation routine and relies on ChaCha8 plus RSA-4096 for file encryption.

Their research shows that command-line flags let affiliates choose local, network-only, or mixed modes, and even tune partial encryption ratios to speed up attacks. While its DLS shows the internal workflow from configuration decryption to process killing and file scrambling.

google

DragonForce’s DLS as of December 2023 (Source - Medium)
DragonForce’s DLS as of December 2023 (Source – Medium)

During wider threat hunting, S2W researchers obtained a working decryptor for both Windows and ESXi systems, giving some victims a path to recovery without paying ransom.

The Windows tool looks for files with the .RNP extension, while the ESXi version checks for .RNP_esxi files that also end with a specific eight-byte magic value called build_key. Besides this it maps the full decryption chain from RSA key loading to metadata parsing and file restoration.

DragonForce — we invite you to join our family (Source - Medium)
DragonForce — we invite you to join our family (Source – Medium)

This complete technical breakdown gives defenders insight into DragonForce tools and recovery options.

Encryption and Decryption Workflow

On execution, the ransomware first decrypts its internal configuration using ChaCha8, then reads options such as encryption mode and target path.

Post announcing the migration of the RansomHub infrastructure to DragonForce (Source - Medium)
Post announcing the migration of the RansomHub infrastructure to DragonForce (Source – Medium)

A common command seen by S2W analysts is dragonforce.exe -m net -p C:\ -j 8, which tells the malware to hit network targets under that path with multiple worker threads.

DragonForce Ransomware Execution Flow (Source - Medium)
DragonForce Ransomware Execution Flow (Source – Medium)

As it scans local and remote paths, DragonForce skips core system areas, then encrypts chosen files. For big virtual disk images it encrypts only chunks instead of the whole file to save time.

At the end of each file it writes 534 bytes of metadata with an RSA-encrypted ChaCha8 key and nonce plus flags that store mode, ratio, and original size.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link