DragonForce: The Rise of a New “Ransomware Cartel” Built on LockBit and Conti DNA
Ddos 
A comprehensive new analysis by security researchers at S2W details the inner workings of the DragonForce Ransomware Group, revealing a threat actor that is not only deploying sophisticated malware but actively cannibalizing other cybercriminal operations to expand its empire.
First detected in late 2023, DragonForce has quickly differentiated itself by offering a highly customizable service to its affiliates. Unlike traditional Ransomware-as-a-Service (RaaS) models, DragonForce positions itself as a central hub for cyber extortion.
“This group operates a service called ‘Ransombay’, which allows affiliates to choose options such as receiving customized payloads, and refers to itself as a cartel.”
This “cartel” approach has allowed them to rapidly expand their influence, aggressively recruiting pentesters and initial access brokers (IABs) with promises of an 80% split of ransom payments.
One of the most striking findings in the S2W report is DragonForce’s tendency to absorb or conquer rival groups. The researchers uncovered evidence linking DragonForce to BlackLock, RansomHub, and LockBit, often through takeovers.
In a brazen move against the BlackLock group, DragonForce exploited a misconfiguration to hack their rival’s infrastructure.
“They subsequently accessed the infrastructure and exploited a Local File Inclusion (LFI) vulnerability to collect information, including credentials.”
The group didn’t stop at espionage; they defaced the BlackLock data leak site, replacing the logo with their own. Similarly, the report notes that “DragonForce Ransomware Group has been linked to BlackLock, RansomHub, and LockBit based on infrastructure migration and duplicate source code”.
Code analysis confirms DragonForce is built on the foundations of LockBit 3.0 (Black) and Conti.
“Comparing the two ransomware binaries using BinDiff revealed that 93.7% of all functions matched [LockBit 3.0], while consecutively executed commands and branch structures matched approximately 99%.”
Despite the reused code, the malware packs its own custom features. “The strings DragonForce Ransomware are obfuscated using a custom algorithm and decrypted during execution for use,” shielding its internal logic from simple static analysis.
The ransomware employs ChaCha8 for file encryption and RSA-4096 to protect the keys. It also features psychological tactics to pressure victims, such as changing the desktop wallpaper and file icons to brand the infected machine.
“If the ‘custom_icon’ or ‘custom_wallpaper’ values are enabled, it changes the icon of encrypted files or the desktop wallpaper of the compromised system.”
Perhaps the most significant discovery for defenders is that S2W researchers successfully recovered a decryptor during their threat hunting operations.
“During threat hunting related to the DragonForce group, the S2W Threat Research and Intelligence Center TALON obtained a decryptor capable of decrypting data from a specific victim system.”
The tool works by identifying files with the .RNP extension (or specific magic bytes for ESXi systems) and using a hardcoded RSA private key to recover the session keys. This discovery suggests that, while DragonForce is growing more dangerous, errors in their operational security may still provide opportunities for victims to recover their data.
Related Posts:
- DragonForce Ransomware Cartel Hits UK Retailers with Custom Payloads and Global Extortion Campaign
- ScarCruft APT Deploys VCD Ransomware, Uses PubNub & New Malware in Espionage Campaign
- BlackLock Ransomware: A New Cross-Platform Threat Spreading Rapidly
- A Desperate Cartel: Inside the Unlikely Alliance of Qilin, DragonForce, and a Fading LockBit
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
