Keypoints
- CRIL found a DragonForce binary with strong code similarities to binaries produced by the leaked LOCKBIT Black builder.
- The LOCKBIT builder (shared publicly in Sept 2022) includes a configurable config.json enabling custom payload settings (encryption mode, exclusions, ransom note template).
- BinDiff analysis revealed structural and functional matches between a builder-generated sample and the DragonForce sample, supporting reuse of the leaked builder.
- On execution, the ransomware terminates a long list of processes (e.g., oracle, firefox, outlook, winword) and services (e.g., sophos, veeam, backup) to facilitate encryption.
- Files are renamed to a random string with the .AoVOpni2N extension; a ransom note named AoVOpni2N.README.txt is dropped in each folder.
- DragonForce implements double extortion: data exfiltration followed by encryption and public leaking if demands are not met.
- Cyble published YARA detection strings for DragonForce memory strings (e.g., “.onion”, “shadowcopy”, “DO NOT DELETE readme”).
MITRE Techniques
- [T1204.002] User Execution – Ransomware delivered as a malicious file requiring execution; quote: ‘Malicious file.’
- [T1562.001] Impair Defenses: Disable or Modify Tools – Ransomware disables endpoint defenses to avoid detection; quote: ‘Ransomware disables Windows Defender.’
- [T1070.004] Indicator Removal on Host: File Deletion – Ransomware removes traces of itself post-execution; quote: ‘Ransomware deletes itself after execution.’
- [T1083] File and Directory Discovery – Ransomware enumerates directories to locate and encrypt target files; quote: ‘Ransomware enumerates folders for file encryption and file deletion.’
- [T1486] Data Encrypted for Impact – Ransomware encrypts files to extort victims; quote: ‘Ransomware encrypts the data for extortion.’
Indicators of Compromise
- [SHA256] DragonForce sample – 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b
- [SHA1] DragonForce sample – e164bbaf848fa5d46fa42f62402a1c55330ef562
- [MD5] DragonForce sample – d54bae930b038950c2947f5397c13f84
- [File name / Extension] Encrypted files and ransom note – files renamed with extension .AoVOpni2N and ransom note AoVOpni2N.README.txt
Cyble CRIL located a DragonForce ransomware binary that matches binaries produced by the publicly leaked LOCKBIT Black builder. Static and BinDiff comparisons show overlapping code structures and functions, and the leaked builder (posted in Sept 2022) includes a config.json enabling attackers to set encryption modes, filename encryption, impersonation, file/folder exclusions, regional exclusions, and a ransom note template.
During runtime the sample terminates numerous user applications and security/backup services (examples: oracle, firefox, outlook, winword; sophos, veeam, backup) to maximize available resources and reduce recovery options. The malware enumerates directories for targeted encryption, renames encrypted files to a random string appended with .AoVOpni2N, drops AoVOpni2N.README.txt in each folder, and uses double-extortion by exfiltrating data then publishing it on a leak site if demands are not met.
Detection guidance published with the analysis includes a YARA rule targeting memory strings (e.g., “.onion”, “Client area”, “shadowcopy”, “DO NOT DELETE readme”, “encrypted with a strong algorithm”) and published file hashes for known samples to aid IOC-based detection and hunting.
Read more: https://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/