DragonForce ransomware was first identified in August 2023. DragonForce ransomware operated as a private group until June 2024 when the group advertized their affiliate program on the Russian-language cybercriminal forum, RAMP. The group reportedly offers 80% of a ransom payment to the affiliates.
Security researchers with Group-IB reported that each affiliate in the DragonForce operation receives a unique .onion address and a new profile created to grant the user access. The affiliate panel contains multiple sections for the affiliates, including:
- Clients
- Builder
- My Team
- Add Adver
- Publications
- Constructor
- Rules
- Blog
- Profile
There is an even chance that the ransomware is related to the hacktivist group, “DragonForce Malaysia”, based on the groups’ 2023 claims that they were going to start a ransomware operation. The group reportedly made the announcement via their Telegram channel. However, this has yet to be confirmed. There is an even chance that another operation has adopted the name in an effort to evade detection and attribution.
DragonForce has two ransomware variants – one based on LockBit Ransomware and another based on the Conti Ransomware variant. The Conti fork of DragonForce renames files with a “.dragonforce_encrypted” extension; however, affiliates reportedly have the option to customize the extension.
The Conti version utilizes nearly the same encryption method, but DragonForce has some customizable values. For each file, the ChaCha8 key and IV is generated by the `CryptGenRandom()` function.
The ransomware includes the following command-line arguments:
- -p: EncryptMode – path
- -m: EncryptMode – all, local, net
- -log: Specify log file
- -size: Specify file encryption percentage
- -nomutex: Do not create mutex
Additionally, there are three encryption types:
- FULL_ENCRYPT: files with database extensions are fully encrypted
- PARTLY_ENCRYPT: files with VM extensions are 20% encrypted.
- HEADER_ENCRYPT: only the first [header_encrypt_size] bytes are encrypted.
There is reportedly little difference between the DragonForce variant based on the leaked builder of LockBit 3.0 and many other variants based on the same builder.
Similar to other operations, DragonForce deletes Shadow Copies, kills running processes, and abuses digitally signed but vulnerable drivers during reported incidents.
DragonForce operators and affiliates have been reported to have gained initial access via public-facing remote desktop servers and social engineering attacks. The group has been reported to utilize the “Bring Your Own Vulnerable Driver” (BYOVD) technique.
DragonForce has been reported to gain persistence in targeted networks by abusing valid accounts, manipulating Registry Run Keys, and creating new system processes and scheduled tasks.
DragonForce has been reported to conduct lateral movement via abusing RDP to access internal servers and move through the network and utilizing post-exploitation malware, such as Cobalt Strike.
DragonForce drops a ransom note for each victim and signs the note with “01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101”, which means DragonForce in its binary representation.
In June 2024, DragonForce reportedly released a recording of an intimidation call made to a purported victim. This indicates that the group likely calls victims after an attack in attempt to apply additional pressure to pay the ransom demand.
In 2025, DragonForce was reported to have launched a white-label ransomware cartel operation. The group reportedly offers infrastructure, malware, and support services for affiliates to launch campaigns under their own brand in exchange for 20% of the ransom payment.
This type of business model will likely allow lower skill level threat actors to participate in ransomware campaigns without requiring the skill and resources to maintain their own infrastructure and malware.
