Threat Research

Dark Web Profile: DragonForce Ransomware – SOCRadar® Cyber Intelligence Inc.

SocRadar

DragonForce Ransomware has emerged as a notable threat, leveraging a leaked LockBit builder and a double-extortion model to steal data before encryption. It has attacked high-profile targets such as the Ohio Lottery and Aussizz Group, with victims publicly listed on a data leak site. #DragonForce #LockBit #OhioLottery #AussizzGroup #Palau #DarkWeb

Keypoints

  • DragonForce uses a leaked LockBit builder and a double extortion approach (data exfiltration followed by encryption) to maximize financial gain.
  • Initial access commonly occurs via phishing and by exploiting vulnerabilities in Remote Desktop Protocols (RDP) and VPNs.
  • The group’s victimology includes high-profile targets; first known attack on the Ohio Lottery with hundreds of gigabytes and millions of records stolen.
  • Dozens of victims are publicly listed on the group’s data leak site, with US as a primary target.
  • A notable incident involved the Aussizz Group, exfiltrating and encrypting around 300 GB of data.
  • Defensive guidance emphasizes anti-malware/EDR, MFA, backups, and SOCRadar’s Ransomware Check as part of a layered defense.

MITRE Techniques

  • [T1566.001] Phishing – Initial access via phishing emails; ‘The initial infection vector often involves phishing emails or exploiting vulnerabilities in Remote Desktop Protocols (RDP) and Virtual Private Network (VPN) solutions.’
  • [T1133] External Remote Services – Access gained by exploiting vulnerabilities in external remote services like RDP/VPN; ‘the initial infection vector often involves phishing emails or exploiting vulnerabilities in Remote Desktop Protocols (RDP) and Virtual Private Network (VPN) solutions.’
  • [T1041] Exfiltration Over C2 – Data exfiltration used before encryption as part of double extortion; ‘exfiltrate data before encrypting it.’
  • [T1486] Data Encrypted for Impact – Encryption of victim data to deny access; ‘encrypting it.’

Indicators of Compromise

  • [Organization] Ohio Lottery – first known ransomware attack targeting; 600 GB of data stolen including 3 million records (names, emails, SSNs, etc.).
  • [Organization] Aussizz Group – notable incident involving exfiltration and encryption of nearly 300 GB of data.
  • [Country] Palau – government ransomware incident in March 2024 with ransom notes from two groups, LockBit and DragonForce.
  • [Data] Data Leak Site Victims – 63 victims listed on the group’s data leak site, with public publication of victim files and deadlines.
  • [Data] Victim Data Size – 600 GB stolen data (Ohio Lottery) and 300 GB (Aussizz Group) highlighted in the article.

Read more: https://socradar.io/dark-web-profile-dragonforce-ransomware/