Dragon RaaS, a ransomware group known for its blend of hacktivism and cybercrime, has emerged as a significant player in the “Five Families” crimeware syndicate.
This group, which includes ThreatSec, GhostSec, Blackforums, and SiegedSec, has been making headlines with its aggressive tactics and geopolitical motivations.
Dragon RaaS, also known as DragonRansom or Dragon Team, surfaced in July 2024 as an offshoot of the Stormous group, another prominent member of the syndicate.
Origins and Evolution
Dragon RaaS’s origins are deeply rooted in the Stormous group, which gained notoriety in mid-2021 for targeting organizations perceived as hostile to Russia.
Stormous is part of the “Five Families” syndicate, which has been involved in various ransomware operations, including GhostLocker and StormCry.
Dragon RaaS launched its Telegram channel in July 2024, marking the beginning of its operations.
The group’s initial announcements included a ransomware platform launch, which was formally introduced in October 2024.
According to SentinelOne Report, this platform features a web-based management portal, privacy-focused operations, and ultra-fast encryption capabilities.
Despite marketing itself as a sophisticated Ransomware-as-a-Service (RaaS) operation, Dragon RaaS’s attacks often involve defacements and opportunistic ransomware extortion, targeting smaller organizations with weak security postures.
Initial Access and Exploitation Methods
Dragon RaaS primarily uses vulnerability exploitation, brute-force credential attacks, and compromised credentials to gain access to target systems.
The group frequently targets WordPress themes and plugins, LiteSpeed HTTP servers, and cPanel instances.
Specific vulnerabilities exploited include those in the Porto WP Theme (CVE-2024-3806 to CVE-2024-3809) and LiteSpeed HTTP servers (CVE-2022-0073 and CVE-2022-0074).
Once inside, attackers deploy a PHP webshell that provides backdoor functionality and persistent ransomware capabilities.
This webshell allows for file encryption using OpenSSL, XOR, or mCrypt algorithms and facilitates defacement activities.
The group’s Windows-focused encryptor is a modified version of StormCry, using AES-256 in CBC mode for encryption.
Despite claims of a new ransomware variant, Dragon RaaS’s payloads are largely based on existing StormCry code, with minor branding changes.
Both StormCry and Dragon RaaS demand similar ransom payments and use nearly identical ransom notes.
.webp)
To protect against Dragon RaaS and similar threats, organizations should prioritize securing public-facing applications, enforcing strong password policies, deploying advanced endpoint security solutions, and monitoring for indicators of compromise.
Regular updates and patches for WordPress, cPanel, and LiteSpeed are crucial in preventing exploitation.
Additionally, multi-factor authentication and strong passwords for site management interfaces can significantly enhance security postures.
Advanced endpoint protection solutions like SentinelOne can detect and prevent malicious tactics, techniques, and procedures (TTPs) associated with these groups.
