The DragonForce Cartel: Scattered Spider at the gate

Acronis TRU analyzed DragonForce, a Conti-derived RaaS active since 2023 that rebranded as a ransomware cartel, uses leaked Conti code and BYOVD attacks via vulnerable drivers (truesight.sys, rentdrv2.sys) to disable security products and terminate protected processes. The group’s affiliate model and partnerships with Scattered Spider (and overlaps with LAPSUS$ and ShinyHunters) have led to over 200 public victims and variants like Devman and Mamona/Global. #DragonForce #Conti #ScatteredSpider #truesight.sys #rentdrv2.sys

Keypoints

DragonForce is a 2023-era ransomware-as-a-service that reuses leaked Conti v3 code and the LockBit 3.0 builder, producing overlapping routines and artifacts with other families like LockBit Green.
The group rebranded as a “ransomware cartel,” allowing affiliates to white-label payloads and operate under DragonForce infrastructure while keeping up to 80% of profits.
DragonForce updated its encryptor to fix encryption weaknesses publicized about Akira, consolidating code (MinGW builds) and using ChaCha20 + RSA for file encryption with encrypted configuration blobs.
Operators employ BYOVD (bring your own vulnerable driver) attacks by leveraging drivers such as truesight.sys and rentdrv2.sys via DeviceIoControl to forcibly terminate EDRs and security processes.
Scattered Spider provides initial access (phishing, SIM swap, MFA bypass), deploys RMM/tunneling tools (ScreenConnect, AnyDesk, TeamViewer, Splashtop), and enables DragonForce deployments leading to high-profile victims (e.g., Marks & Spencer, Harrods).
DragonForce’s affiliate ecosystem produced variants and linked families (Devman, Mamona/Global); builders and affiliate portals were observed, and leak-site defacements/hostile actions against rival groups were used to assert dominance.
More than 200 victims across retail, airlines, insurance, MSPs, and enterprise sectors have been posted on DragonForce’s leak site since late 2023, indicating ongoing active operations.

MITRE Techniques

[T1566] Phishing – Scattered Spider uses spear-phishing and vishing to obtain credentials and bypass MFA (“…spear-phishing emails and voice phishing (vishing) to obtain and / or reset victim credentials and bypass MFA…”).
[T1110] Brute Force (MFA bypass techniques including SIM swap) – Use of SIM swapping and MFA fatigue to bypass multifactor protections (“…bypass MFA through convincing lures, multifactor authentication fatigue or SIM swaps…”).
[T1588] Obtain Capabilities (use of RMM/tunneling tools) – Deployment of remote monitoring and management tools such as ScreenConnect, AnyDesk, TeamViewer, Splashtop to maintain access (“…Scattered Spider deploys remote monitoring and management (RMM) tools or tunneling services…”).
[T1083] File and Directory Discovery – Extensive discovery of SharePoint, credential stores, VMware vCenter, backups and VPN documentation for lateral movement (“…conducts extensive discovery, focusing on SharePoint, credential stores, VMware vCenter infrastructure, backup systems and documentation related to VPN setup and access.”).
[T1135] Network Share Discovery – Scanning local network and SMB shares to find resources to encrypt (“…will not only enumerate and encrypt local filesystems, but will also scan the local network looking for shared resources through SMB.”).
[T1041] Exfiltration Over Web Service – Aggregated data exfiltrated to attacker-controlled MEGA or Amazon S3 storage (“…exfiltrated to attacker-controlled MEGA or Amazon S3 storage.”).
[T1490] Inhibit System Recovery – Use of BYOVD via vulnerable drivers (truesight.sys, rentdrv2.sys) to terminate security/EDR processes to prevent recovery (“…by sending the proper control codes to those drivers through DeviceIoControl, operators can cause the drivers to terminate specified processes.”).
[T1486] Data Encrypted for Impact – Ransomware encrypts Windows, Linux, and ESXi systems using ChaCha20 per-file keys wrapped with RSA and appends encryption metadata (“…a single ChaCha20 encryption key generated for each file, that is then encrypted using a public RSA key and appended at the beginning of the resulting file.”).

Indicators of Compromise

[File Hashes] PE and ELF samples – PE: 4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2bf58af71e542c67fbacf7acc53a43243a5301d115eb41e26e4d5932d8555510d0e4c44d0f462fce02b2c31555b12c022cdd6eae6492fd3a122e32e105fc5a54f8f5df98b344242c5eaad1fce… (full hash listed in article). ELF: 8e8f463c37ea7133194731bfe4490e6713dd0133f30fe08a6d069d10fa7db2c69.
[Driver Filenames] Vulnerable drivers used for BYOVD – truesight.sys, rentdrv2.sys (used to send control codes via DeviceIoControl to terminate processes).
[Ransom Note / Onion Domains] Leak site and negotiation links – DragonForce leak/blog onion: z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion and victim access onion: 3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion (listed in ransom note examples).
[Ransom Note Content] Ransom note identifiers and contact – Unique ID example: F744871F84DDF60CF744871F84DDF60C; Tox contact hex string and deletion deadlines visible in posted ransom notes.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print