Threat Research

DragonForce Ransomware Group

admin

DragonForce is a ransomware-as-a-service (RaaS) affiliate program operating two variants—one based on LockBit3.0 and another based on ContiV3—and employs double extortion against 82 victims across multiple industries. It leverages BYOVD to disable security, exfiltrates data via a dark web leak site, and uses tools like SystemBC, Mimikatz, and Cobalt Strike, with lateral movement often achieved through RDP; the affiliate program launched in June 2024 to expand its reach. #DragonForce #LockBit3.0 #ContiV3 #BYOVD #SystemBC

Keypoints

  • DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program using two ransomware variants (LockBit3.0-based and ContiV3-based) and employs double extortion (encryption plus data leaks).
  • The affiliate program launched on June 26, 2024, offering affiliates up to 80% of the ransom and tools for attack management, enabling customized ransomware samples and automation.
  • BYOVD (Bring Your Own Vulnerable Driver) is used to terminate security tools, supported by extensive defense evasion and persistence techniques, including registry Run keys and Windows services.
  • From August 2023 to August 2024, DragonForce targeted 82 victims across industries such as Manufacturing, Real Estate, and Transportation, with a significant number in the United States.
  • DragonForce deployments involve SystemBC backdoors, Mimikatz for credential access, Cobalt Strike for post-exploitation, and network reconnaissance with tools like SoftPerfect Network Scanner.
  • Attack techniques include initial access via public-facing services, lateral movement via RDP, C2 over HTTP, credential dumping, and extensive discovery and data encryption using df.exe with post-encryption log clearing.

MITRE Techniques

  • [T1078] Valid Accounts – Initial access via a public-facing remote desktop server. ‘The initial access to the target network through a public-facing remote desktop server. Suspicious login activity was observed involving three different IP addresses using valid domain accounts.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to download and execute malicious payloads like Cobalt Strike. ‘PowerShell commands were executed on several hosts within the network. The purpose of these commands was to remotely download and execute a malicious payload, which was later identified as a Cobalt Strike beacon.’
  • [T1078.002] Valid Accounts: Domain Accounts – Maintaining persistence by using compromised domain accounts. ‘They also identified compromised accounts that were used by the threat actor to maintain persistence, and move laterally within the organization.’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry keys used to ensure malware execution at startup (SystemBC persistence).
  • [T1543.003] Create or Modify System Process: Windows Service – SystemBC creates services for persistence.
  • [T1070.001] Indicator Removal: Clear Windows Event Logs – Clearing event logs after encryption to hinder forensics.
  • [T1003.001] OS Credential Dumping: LSASS Memory – Mimikatz used to dump credentials; a file containing cleartext credentials was produced.
  • [T1482] Domain Trust Discovery – Active Directory enumeration using ADFind; results saved for subnet discovery.
  • [T1018] Remote System Discovery – Network reconnaissance to identify remote systems.
  • [T1016] System Network Configuration Discovery – Collecting network configuration details for mapping.
  • [T1082] System Information Discovery – Gathering system information for targeted attacks.
  • [T1083] File and Directory Discovery – Discovering files and directories to locate data of value.
  • [T1021.001] Remote Services: Remote Desktop Protocol – Lateral movement via RDP after initial access.
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over HTTP.
  • [T1486] Data Encrypted for Impact – Ransomware encrypts files across the network using df.exe.

Indicators of Compromise

  • [IP Addresses] C2 and intrusion indicators – 185.73.125.8, 94.232.46.202, 69.4.234.20, 2.147.68.96, 185.59.221.75
  • [File Hashes] DragonForce-related payloads – socks.exe (97B70E89B5313612A9E7A339EE82AB67), df.exe (C111476F7B394776B515249ECB6B20E6), a65.exe (A50637F5F7A3E462135C0AE7C7AF0D91), netscanold.exe (BB7C575E798FF5243B5014777253635D)

Read more: https://www.group-ib.com/blog/dragonforce-ransomware