DragonForce Ransomware Strikes Manufacturing Sector with Brute-Force, Exfiltrating Data Over SSH to Russian Host

Cybersecurity firm Darktrace has published a detailed investigation into a DragonForce-affiliated ransomware attack that targeted a manufacturing organization, revealing a sophisticated, multi-phase intrusion involving network scanning, brute-force credential attacks, data exfiltration, and file encryption.

The DragonForce ransomware operation, first observed in late 2023, has rapidly expanded through a Ransomware-as-a-Service (RaaS) model that attracts affiliates with aggressive profit-sharing and flexible infrastructure.

“DragonForce is a Ransomware-as-a-Service (RaaS) platform that emerged in late 2023, offering broad-scale capabilities and infrastructure to threat actors,” Darktrace explained. “Recently, DragonForce has been linked to attacks targeting the UK retail sector, resulting in several high-profile cases.”

Unlike other RaaS schemes that typically grant affiliates a 70–80% revenue share, DragonForce’s lower 20% affiliate payout suggests an emphasis on volume-driven operations rather than exclusivity.

The case analyzed by Darktrace began during working hours in August 2025, when an internal device started performing network reconnaissance and credential brute-forcing.

After eight days of dormancy, the attackers returned and initiated file encryption over SMB, appending the “.df_win” extension and dropping ransom notes titled “readme.txt”, which referenced DragonForce affiliation.

Despite early detection, Darktrace noted that Autonomous Response — its AI-driven active defense feature — had not been enabled on the affected network.

While the initial access vector remains unconfirmed, Darktrace assessed that it likely followed DragonForce’s established TTPs, including phishing, exploitation of public-facing applications, or abuse of remote management tools.

During the intrusion, compromised systems exhibited internal scanning, Windows Registry manipulation, and brute-force attempts targeting common admin credentials such as “administrator”, “Admin”, “rdpadmin”, and “ftpadmin.”

“Darktrace identified anomalous behavior in late August to early September 2025, originating from a source device engaging in internal network scanning followed by brute-force attempts targeting administrator credential, including ‘administrator’, ‘Admin’, ‘rdpadmin’, ‘ftpadmin’.”

Darktrace also observed the OpenVAS vulnerability scanner user agent string during HTTP communications, suggesting the use of legitimate tools for network enumeration. In addition, deleted files named “delete.me” — associated with penetration testing utility NetScan — were discovered across devices.

Following reconnaissance, the attackers modified Windows Registry keys linked to task scheduling and Windows Management Instrumentation (WMI) access control.

“The registry keys observed included ‘SYSTEM\CurrentControlSet\Control\WMI\Security’ and ‘Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks’. These keys can be leveraged by malicious actors to update WMI access controls and schedule malicious tasks.”

This manipulation likely allowed the attackers to maintain persistence within the victim’s environment while preparing for privilege escalation.

Darktrace later detected the first successful Kerberos login using a privileged “administrator” credential, which was subsequently reused to establish SMB sessions, indicating lateral movement and possible credential theft.

Before triggering encryption, multiple infected devices began transferring large volumes of data over SSH to a malicious endpoint hosted by a Russian service provider.

“Several infected devices were observed exfiltrating data to the malicious IP 45.135.232[.]229 via SSH connections. This was followed by the device downloading data from other internal devices and transferring an unusually large volume of data to the same external endpoint.”

Darktrace identified the destination server as being registered to Proton66 OOO, a Russian-based malicious hosting provider (ASN AS198953), which has been linked to previous campaigns involving vulnerability scanning, exploitation, and phishing.

The compromised host at 45.135.232[.]229 was also associated with a Microsoft IIS Manager console, a configuration panel often abused to deploy malicious modules or steal credentials.

After exfiltration, the attackers launched the encryption phase, writing .df_win files and deploying ransom notes across internal file shares.

“Multiple devices were later observed connecting to internal devices via SMB and performing a range of actions indicative of file encryption.”

Darktrace’s Cyber AI Analyst automatically launched an investigation, correlating timestamps and encryption events to provide full visibility. During this phase, a spike in SMB Write events corresponded to the creation of ‘readme.txt’ ransom notes, confirming the ransomware activation timeline.

The ransom note explicitly claimed affiliation with DragonForce, marking this as one of the first observed manufacturing-sector compromises linked to the RaaS brand.

Related Posts:

• Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
• DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code
• DragonForce Ransomware Group Targets Saudi Arabia with Large-Scale Data Breach
• Ransomware Attack: MSP’s RMM Tool Abused to Spread DragonForce
• SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign