HQ/EMEAFind out how we can help your business
DragonForce ransomware expands its RaaS operations, making it a global security threat that can target various industries.
Ransomware attacks are becoming more common, exposing enterprises to new and sophisticated cybersecurity threats. One example is the DragonForce ransomware gang, which currently uses a Ransomware-as-a-Service (RaaS) affiliate scheme and variants of well-known ransomware strains to cause damage to targeted businesses.
This ransomware gang first appeared in August last year with a variant based on LockBit 3.0. However, a couple of months ago, the organisation introduced a second strain, which they claimed was their original design. Researchers noticed that the alleged independent strain was ultimately discovered to be a fork of the ContiV3 ransomware.
Reports revealed that the authors of this malicious payload designed it to exploit corporate vulnerabilities. This group’s primary targeted industries include manufacturing, real estate, and transportation.
In addition, the group’s cyberattack method is based on double extortion. They encrypt the data of targeted entities and threaten them by stating that they will expose it unless a ransom is paid. This move increases the pressure on victims to adhere to it since the attackers instil fear that publishing sensitive information might cause operational disruption and reputational damage.
DragonForce ransomware gang’s RaaS operation is versatile, enabling its affiliates to tailor their attacks to their unique attack process.
DragonForce ransomware group’s RaaS affiliate program, which began last June, allows attackers, especially affiliates, to personalise their ransomware payloads. According to investigations, Affiliates can disable security measures, modify encryption parameters, and even generate personalised ransom letters. In exchange, affiliates receive 80% of any ransom collected.
DragonForce has multiple innovative strategies for bypassing security detections and establishing persistence. One of its primary techniques is BYOVD, in which its partners use insecure drivers to stop security processes and avoid discovery. Also, it deletes Windows Event Logs after encryption to delay forensic investigations.
For lateral movement on targeted entities, the group uses tools like Cobalt Strike and SystemBC, which allow them to steal credentials and persist in networks. They also employ network scanning programs such as SoftPerfect Network Scanner to map out networks, allowing the ransomware to spread to as many devices as possible.
The threat of RaaS operations has become a standard tool for various cybercriminals, even those who do not have adequate knowledge of executing ransomware operations. Therefore, organisations should fortify their defences as this threat continues to grow.
