DragonForce Ransomware

First Identified: 2023

Operation style:
Ransomware-as-a-Service (RaaS)

Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most frequently targeted industry:

• Industrials (Manufacturing)

Most frequently targeted victim HQ region: United States, North America

Known Associations:

• Conti Ransomware
• DragonForce Malaysia
• LockBit 3.0 Ransomware

DragonForce ransomware was first identified in August 2023. DragonForce ransomware operated as a private group until June 2024 when the group advertized their affiliate program on the Russian-language cybercriminal forum, RAMP. The group reportedly offers 80% of a ransom payment to the affiliates.

Security researchers with Group-IB reported that each affiliate in the DragonForce operation receives a unique .onion address and a new profile created to grant the user access. The affiliate panel contains multiple sections for the affiliates, including:

• Clients
• Builder
• My Team
• Add Adver
• Publications
• Constructor
• Rules
• Blog
• Profile

There is an even chance that the ransomware is related to the hacktivist group, “DragonForce Malaysia”, based on the groups’ 2023 claims that they were going to start a ransomware operation. The group reportedly made the announcement via their Telegram channel. However, this has yet to be confirmed. There is an even chance that another operation has adopted the name in an effort to evade detection and attribution.

DragonForce has two ransomware variants – one based on LockBit Ransomware and another based on the Conti Ransomware variant. The Conti fork of DragonForce renames files with a “.dragonforce_encrypted” extension; however, affiliates reportedly have the option to customize the extension.

The Conti version utilizes nearly the same encryption method, but DragonForce has some customizable values. For each file, the ChaCha8 key and IV is generated by the `CryptGenRandom()` function.

The ransomware includes the following command-line arguments:

• -p: EncryptMode – path
• -m: EncryptMode – all, local, net
• -log: Specify log file
• -size: Specify file encryption percentage
• -nomutex: Do not create mutex

Additionally, there are three encryption types:

• FULL_ENCRYPT: files with database extensions are fully encrypted
• PARTLY_ENCRYPT: files with VM extensions are 20% encrypted.
• HEADER_ENCRYPT: only the first [header_encrypt_size] bytes are encrypted.

There is reportedly little difference between the DragonForce variant based on the leaked builder of LockBit 3.0 and many other variants based on the same builder.

Similar to other operations, DragonForce deletes Shadow Copies, kills running processes, and abuses digitally signed but vulnerable drivers during reported incidents.