DragonForce, a sophisticated ransomware operation that emerged in fall 2023, has established itself as a formidable threat in the cybercriminal landscape by claiming over 120 victims across the past year.
Unlike traditional ransomware-as-a-service models, this threat actor has evolved into what security experts term a “ransomware cartel,” fundamentally changing how cybercriminal operations are structured and executed.
The group has demonstrated remarkable adaptability, initially operating with ransomware that shared characteristics with LockBit 3.0 before transitioning to a Conti variant during summer 2024.
.png
)
DragonForce has strategically targeted organizations across diverse sectors including manufacturing, construction, technology, healthcare, and retail, with victims spanning the United States, Italy, and Australia.
Their ransom demands reflect sophisticated victim research, ranging from hundreds of thousands to millions of dollars, with one documented case demanding $7 million from a compromised organization.
Bitdefender researchers identified DragonForce’s unique operational model, which distinguishes it from conventional ransomware groups through its cartel-like structure and infrastructure provision services.
The group offers affiliates an unprecedented 80% profit share while providing comprehensive operational support including blog management, file servers, admin panels, 24/7 monitoring, and petabytes of storage capacity.
This approach allows DragonForce to maintain control over allied groups’ resources while eliminating potential competitors.
The threat actor has demonstrated concerning geopolitical connections, utilizing Russian-linked infrastructure and facing accusations from RansomHub members of associating with the FSB.
Their operational sophistication extends to their data leak site, which features victim listings, stolen data previews, and countdown timers for publication deadlines.
Recent activities suggest DragonForce may be consolidating power within the ransomware ecosystem, potentially compromising rival groups including LockBit.
Advanced Evasion and Encryption Capabilities
DragonForce employs sophisticated technical mechanisms that enable persistent access and comprehensive system compromise.
The group exploits multiple critical vulnerabilities including CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893 to establish initial footholds in target networks.
Their persistence strategy heavily relies on Living Off the Land techniques, leveraging legitimate executables such as Schtasks.exe and Taskkill.exe to maintain access while avoiding detection.
The ransomware’s encryption capabilities span multiple platforms with specialized variants for Windows, Linux, ESXi, BSD, and NAS systems.
Their encryptors support various encryption modes including band-pass, percentage, header, and normal encryption, with multithreading capabilities for enhanced performance.
Upon successful execution, the malware appends .dragonforce_encrypted extensions to compromised files.
The group has incorporated lessons from previous ransomware operations, particularly regarding GPU cluster decryption methods, to strengthen their encryption algorithms and file recovery prevention mechanisms across different operating systems.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
