DragonForce Leak Site
A new report from Cyble Research & Intelligence Labs (CRIL) has shed light on the origins of DragonForce, a dangerous ransomware strain that emerged in late 2023. CRIL researchers have uncovered compelling evidence suggesting that DragonForce was built using a leaked version of the LOCKBIT Black ransomware builder. This leak, which surfaced on Twitter in September 2022, has armed less-skilled cybercriminals with powerful tools, fueling a surge in ransomware attacks.
The LOCKBIT Legacy
LOCKBIT Black is a notorious ransomware-as-a-service (RaaS) operation, responsible for numerous high-profile attacks. Its leaked builder essentially provides a blueprint for creating customized ransomware. The DragonForce case demonstrates how threat actors are exploiting these leaked tools to wreak havoc, even without extensive technical expertise.
DragonForce: Tactics and Impact
DragonForce stands out due to its use of double extortion. Before encrypting files, the attackers exfiltrate sensitive data, threatening to leak it on their dark website if the ransom isn’t paid. This tactic drastically increases pressure on victims. Since its emergence, DragonForce has already compromised over 25 organizations worldwide, highlighting its rapid spread.
Beyond technical similarities to LOCKBIT, DragonForce exhibits other worrying signs:
- Process and Service Disruption: It targets critical system processes and services, aiming to cripple defenses and maximize encryption speed.
- Unique File Renaming: Encrypted files receive a complex, randomly generated name followed by the “.AoVOpni2N” extension, making manual recovery nearly impossible.
- Evolving Ransom Demands: The ransom note format suggests that threat actors might be experimenting with ways to personalize ransom demands for each victim.
A Murky Connection: Hacktivism and Ransomware
Interestingly, a Malaysia-based hacktivist group also bears the name “DragonForce.” This group has a history of targeting organizations in the Middle East and Asia. While it’s tempting to speculate on a connection, CRIL researchers emphasize that there is currently not enough evidence to link the hacktivist group to the DragonForce ransomware operation.
The Danger of Weaponized Malware
The DragonForce case underscores the escalating risks posed by the proliferation of leaked ransomware builders and other malware tools. These tools reduce the technical knowledge needed to launch devastating attacks, expanding the pool of potential threat actors and amplifying the risk to businesses and critical infrastructure.
Defense Strategies in the Evolving Threat Landscape
- Proactive Patching: Vulnerabilities are the gateway for ransomware. Prioritize applying security patches and software updates rigorously.
- Layered Security: Don’t rely on a single defense. Implement multi-layered security, including firewalls, endpoint protection, and intrusion detection systems.
- Offline Backups: Regularly create offline, air-gapped backups that remain protected from ransomware.
- Incident Response Planning: Develop and test a detailed incident response plan to minimize downtime and data loss in the event of an attack.
