The cybercriminal group DragonForce has been launching attacks across industries worldwide, targeting sectors such as manufacturing, real estate, and transportation. According to researchers from Group-IB, DragonForce has been using modified versions of two infamous ransomware variants: LockBit and Conti. The malware used by DragonForce is based on leaked ransomware builders, allowing the group to tailor these tools to their specific needs. LockBit, Conti, and other ransomware families like Babuk are commonly reused and adapted by modern ransomware operators, reflecting a growing trend of cybercriminals leveraging existing ransomware frameworks for new attacks.
DragonForce operates as a ransomware-as-a-service group, selecting affiliates who are experienced in carrying out high-value cyberattacks. These affiliates are offered 80% of the ransom payments in exchange for executing attacks using the group’s customized tools. They are also given the flexibility to adjust various aspects of the ransomware, such as encryption parameters and ransom notes, to suit the target. This approach has allowed DragonForce to scale its operations, making it a significant threat to various organizations globally.
In addition to the ransomware itself, DragonForce employs a double extortion strategy, which involves not only encrypting a victim’s data but also exfiltrating sensitive information with the threat of making it public. This tactic adds considerable pressure on victims, who face the risk of reputational damage, financial loss, and compromised business continuity if the stolen data is leaked. This combination of encryption and data theft is a key element of DragonForce’s attack methodology, amplifying the urgency for victims to pay the ransom to prevent further damage.
Over the past year, Group-IB has tracked DragonForce’s attacks on 82 victims, primarily in the U.S., U.K., and Australia. Some of the group’s notable past targets include Yakult Australia, the Ohio Lottery, and the government of Palau. While Group-IB has not attributed the attacks to any specific country or individuals, there have been previous hints suggesting that DragonForce could be based in Malaysia. The group’s use of sophisticated tools, including the SystemBC backdoor, Mimikatz, and Cobalt Strike, underscores its formidable capabilities in targeting key industries and carrying out complex cyberattacks.
Reference:
