DragonForce Ransomware Evolves with BYOVD to Kill EDR and Fixes Encryption Flaws in Conti V3 Codebase
Ddos 
DragonForce advertises its malware on its data leak site
The Acronis Threat Research Unit (TRU) has identified a new DragonForce ransomware variant that showcases a dramatic evolution in both technical sophistication and organizational structure. The updated malware leverages Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and terminate protected processes, while also addressing previous encryption flaws linked to Akira ransomware.
“The latest sample uses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security software, terminate protected processes and correct encryption flaws previously associated with Akira ransomware,” Acronis researchers wrote. “The updated encryption scheme addresses weaknesses publicly detailed in a Habr article cited on DragonForce’s leak site.”
Originally emerging in 2023, DragonForce began as a ransomware-as-a-service (RaaS) operation loosely associated with the hacktivist group DragonForce Malaysia. Its early encryptors were based on LockBit 3.0’s leaked builder, later replaced by code from Conti v3.
In early 2025, the group rebranded itself as a “cartel”, transforming its business model to attract affiliates. By offering customizable encryptors, infrastructure access, and 80% profit shares, DragonForce positioned itself as a leading player in the ransomware ecosystem.
Since the rebrand, the group has become notably more aggressive, increasing global victim postings and expanding collaborations. Its most prominent campaign to date involved a joint attack on Marks & Spencer alongside the Scattered Spider intrusion group.
Acronis analysts observed that the latest DragonForce binaries are significantly larger than earlier variants, suggesting a change in the development toolchain. The new builds, compiled using MinGW, appear to consolidate the group’s multi-platform ransomware codebase.
“During September, we spotted some fresh samples of DragonForce ransomware. Noticeably, these binaries were significantly larger than earlier variants. That seems to be due to a change in the developer’s toolchain, as these samples are built using MinGW.”
Despite its updated framework, the codebase remains rooted in Conti’s leaked source, reusing functions like InitializeApiModule and DisableHooks. However, Acronis notes the inclusion of an encrypted configuration file, eliminating the need for command-line parameters—a tactic that improves operational stealth.
DragonForce’s encryption system employs a hybrid ChaCha20 + RSA scheme, where a unique ChaCha20 key is generated per file and then encrypted with a public RSA key. Each encrypted file contains a structured header storing metadata and encryption information.
The ransomware’s configuration file allows affiliates to define custom extensions, blacklists, and process kill lists, including Microsoft Defender (MsMpEng.exe), Oracle, and SQL services. Most notably, the use_sys flag activates BYOVD process termination, using Truesight and BadRentdrv2 drivers to forcibly kill antivirus and EDR software.
By sending specially crafted DeviceIoControl codes to these drivers, the malware can kill protected system processes that traditional termination calls cannot reach. This level of driver abuse is consistent with techniques previously used by ransomware families like BlackCat and AvosLocker.
Acronis TRU identified links between DragonForce and a new ransomware family known as Devman, whose samples were built using DragonForce’s builder and infrastructure.
“This sample has ‘.devman’ as the encrypted file extension in its configuration, but other functionalities like the icon, wallpaper, and ransom note are all from DragonForce.”
Devman’s ransom notes and configurations bear a near-identical resemblance to DragonForce’s earlier LockBit-based iterations, suggesting that Devman represents an affiliate experimenting with its own branding while maintaining technical reliance on the DragonForce ecosystem.
This affiliate structure mirrors the “cartelization” trend seen across other ransomware collectives, such as Scattered Spider, LAPSUS$, and ShinyHunters, which have begun collaborating rather than competing for access and victims.
Acronis reports that DragonForce’s rise has sparked territorial disputes with rival groups. The cartel has allegedly defaced or taken over infrastructure belonging to other RaaS operators, including BlackLock and RansomHub, in an effort to assert dominance.
Shortly after, DragonForce reportedly attempted a “hostile takeover” of RansomHub’s servers, causing temporary disruptions that drove affiliates toward DragonForce and Qilin.
The Acronis TRU assessment concludes that DragonForce’s latest evolution solidifies its status as one of the most organized and technically adaptive ransomware ecosystems in operation today.
Related Posts:
- DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code
- Ransomware Attack: MSP’s RMM Tool Abused to Spread DragonForce
- Conti ransomware source code leaks
- DragonForce Ransomware Group Targets Saudi Arabia with Large-Scale Data Breach
- DragonForce Ransomware Strikes Manufacturing Sector with Brute-Force, Exfiltrating Data Over SSH to Russian Host
Donate