Summary: DragonForce ransomware is rapidly expanding its Ransomware-as-a-Service (RaaS) operations, posing a significant global threat to businesses through sophisticated double extortion tactics. Companies are urged to enhance their cybersecurity measures to protect against these evolving ransomware attacks.
Threat Actor: DragonForce | DragonForce
Victim: Various businesses | various businesses
Key Point :
- DragonForce employs a dual ransomware strategy, utilizing variants of LockBit and ContiV3 to exploit vulnerabilities in targeted sectors.
- The group’s RaaS model allows affiliates to customize attacks, enhancing their ability to evade detection and maximize damage.
- Between August 2023 and August 2024, DragonForce targeted 82 victims, primarily in the U.S., with a focus on the manufacturing, real estate, and transportation industries.
- To combat these threats, businesses should implement multi-factor authentication, early detection systems, regular backups, and employee training on cybersecurity awareness.
DragonForce ransomware is expanding its RaaS operation and becoming a global cybersecurity threat against businesses. Companies must implement strong cybersecurity strategies to defend against this growing ransomware attack and avoid becoming victims.
Ransomware attacks are growing, leaving organizations vulnerable to new and more sophisticated threats. According to Group-IB’s Hi-Tech Crime Trends 2023/2024 report, ransomware incidents could cause even greater damage in 2024.
One of the most significant emerging threats is the DragonForce ransomware group, which leverages a Ransomware-as-a-Service (RaaS) affiliate program, employing variants of well-known ransomware families to wreak havoc on targeted industries.
DragonForce: A Dual-Ransomware Threat
The DragonForce ransomware group emerged in August 2023, deploying a variant based on LockBit 3.0, a notorious ransomware strain. However, by July 2024, the group introduced a second variant, initially claimed to be their original creation but later found to be a fork of ContiV3 ransomware. These dual ransomware versions are used to exploit vulnerabilities in companies, particularly in sectors like manufacturing, real estate, and transportation.
DragonForce’s attack strategy revolves around double extortion—encrypting data and threatening to leak it unless a ransom is paid. This adds immense pressure on victims to comply, fearing not only operational disruption but also the reputational damage that could arise from exposed sensitive information.
Advanced Tactics for Maximum Damage
According to Group-IB’s research shared with Hackread.com ahead of publication on Wednesday, the DragonForce ransomware gang’s operations are highly customizable, allowing affiliates to configure attacks based on the type of victim.
With its RaaS affiliate program, launched on June 26, 2024, DragonForce ransomware offers attackers the ability to personalize ransomware payloads. Affiliates can disable security features, set encryption parameters, and even customize ransom notes. In return, affiliates receive 80% of any ransom collected.
DragonForce employs a variety of advanced techniques for evasion and persistence. One of their key tactics is “Bring Your Own Vulnerable Driver” (BYOVD), where affiliates use vulnerable drivers to disable security processes and evade detection. Additionally, they clear Windows Event Logs after encryption to hinder forensic investigations.
For lateral movement, the group uses tools like Cobalt Strike and SystemBC, both of which allow them to harvest credentials and persist in networks. They also use network scanning tools like SoftPerfect Network Scanner to map out networks, helping spread the ransomware to as many devices as possible.
Targeted Attacks and Global Reach
Between August 2023 and August 2024, DragonForce listed 82 victims on its dark web leak site. Most attacks were concentrated in the U.S. (52.4%), followed by the U.K. and Australia. The manufacturing sector suffered the highest number of attacks, with real estate and transportation industries close behind.
In addition to their use of ContiV3 and LockBit variants, DragonForce’s ability to adapt to new affiliate demands makes them a rapidly growing threat. By targeting high-revenue companies and critical sectors, they continue to increase their foothold in the cybercrime infrastructure.
What Can Businesses Do?
To combat these sophisticated attacks, businesses need to adopt more proactive and layered security measures. Here are some critical steps:
- Multi-Factor Authentication (MFA): Adding additional authentication layers makes it harder for attackers to compromise credentials.
- Early Detection: Use behavioural detection tools such as Endpoint Detection and Response (EDR) to identify suspicious activity early.
- Backup Strategy: Regular backups reduce the impact of ransomware by ensuring data can be recovered without paying ransom.
- Patch Vulnerabilities: Regularly patching known vulnerabilities prevents ransomware from exploiting outdated systems.
- Employee Training: Training employees to recognize phishing and other malicious tactics can prevent initial infiltration.
- Avoid Paying the Ransom: Paying ransom often leads to more attacks, as it signals vulnerability to other cybercriminals.
While DragonForce ransomware expands its RaaS operation, businesses must remain alert and implement proper cybersecurity strategies to avoid becoming victims of this and other dangerous threats.
RELATED TOPICS
- New Kransom Ransomware Disguised as Game
- $75 Million Ransom Paid to Dark Angels Ransomware Group
- Play Ransomware Variant Targeting Linux ESXi Environments
- PythonAnywhere Cloud Platform Abused for Hosting Ransomware
- Qilin Ransomware Upgrades – Now Steals Google Chrome Credentials
Source: https://hackread.com/dragonforce-ransomware-expands-raas-targets-firms