DragonForce: Emerging Threat Leverages LockBit and Conti Code

Published on
September 26, 2024

Emerging ransomware operator DragonForce is reusing and customizing ransomware builders that have leaked, a growing trend among modern ransomware operators. Over the past year, the group targeted 82 victims, primarily in the U.S., U.K., and Australia, The Record reports.

The Halcyon Recent Ransomware Attacks resource website is tracking dozens of attacks by DragonForce across multiple regions and industry verticals stretching back to early April 2024.

While DragonForce has not been attributed to any specific nation, previous reports suggest the group could be based in Malaysia.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report,  DragonForce has emerged as a significant player in the cybercriminal landscape, operating a highly sophisticated Ransomware-as-a-Service (RaaS) platform, constructed using a leaked builder from the notorious LockBit ransomware group.  

This platform enables DragonForce to execute highly targeted and disruptive attacks, demonstrating a level of operational expertise that makes them particularly dangerous. Their ability to infiltrate systems, remain undetected, and unleash ransomware at precisely the right moment shows an impressive mastery of stealth and evasion tactics.

The platform is engineered with advanced features, allowing DragonForce to bypass conventional security defenses through encryption and stealth techniques that evade detection by traditional monitoring tools.  

These techniques make it challenging for security teams to identify their activities before the ransomware is deployed. Leveraging LockBit’s robust architecture, DragonForce targets large, high-value organizations across various industries, maximizing the impact of their attacks.

One of DragonForce's most notable innovations is their adoption of LockBit’s powerful double extortion strategy. In this model, they not only encrypt the victim’s data but also exfiltrate sensitive information, threatening to publicly leak it unless their demands are met.  

This dual pressure significantly increases the likelihood that victims will pay, further enhancing the group's success rate. Additionally, they utilize LockBit’s fast encryption algorithms, which can lock down large volumes of data rapidly, making it harder for organizations to respond in time to mitigate the damage.

DragonForce has further advanced their platform by integrating enhanced data exfiltration and advanced evasion techniques. These enhancements make their attacks more difficult to detect, even with modern security tools in place.  

By focusing on refining their approach, DragonForce continuously evolves into a more adaptable and resilient operation, maintaining their edge in the highly competitive ransomware ecosystem. Their commitment to innovation suggests that they prioritize staying ahead of evolving security measures, increasing the complexity and impact of their attacks.

Organizationally, DragonForce runs like a well-structured business, with a strong emphasis on recruitment and support for their affiliates. By providing technical expertise, ongoing development, and support for their affiliate network,  DragonForce ensures that their ransomware operations run smoothly and efficiently.

Their RaaS model allows less skilled cybercriminals to execute high-impact ransomware attacks using DragonForce’s platform, further expanding their reach. A key driver of their success is their focus on research and development. DragonForce invests heavily in refining their platform, continually integrating new tools and methodologies to enhance their operations.  

This includes the development of custom encryption techniques and more sophisticated evasion methods, allowing them to keep pace with, and often surpass, the capabilities of modern cybersecurity defenses. Their commitment to innovation and adaptability helps them to maintain a competitive edge, ensuring the longevity and growth of their operation.

In the first three quarters of 2024 alone, DragonForce has been exceptionally active, launching numerous high-profile attacks. Their success rate is significant, as evidenced by the sheer number of well-known organizations that have fallen victim to their attacks.  

Some of their most notable targets include Seafrigo Group, the Ohio Lottery, Yakult Australia, and Coca-Cola Singapore. Although ransom amounts are not always disclosed, it is clear that DragonForce aims for substantial payouts, primarily focusing on high-value organizations to maximize their demands and profits.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.