DragonForce vs. LockBit 3.0: Ransomware Battle Threatens Major Organizations

Ransomware attacks are becoming increasingly sophisticated and frequent, and security leaders are concerned about their organization’s ability to defend against them. The RaaS market, DLS, and affiliate programs are contributing to the rise in ransomware attacks. 

The rapid evolution of ransomware variants is outpacing cyber defense advancements, leaving organizations vulnerable to future threats. To stay ahead, businesses must stay informed about emerging cybersecurity threats and prominent threat actors.

DragonForce, a ransomware-as-a-service group, operates using a customized ContiV3 variant and employs double extortion tactics, encrypting data and threatening leaks. 

the “clients” section of the DragonForce affiliates’ panel

Their affiliate program offers tools for attack customization and automation by using BYOVD techniques to disable security processes and clear Windows Event Logs to hinder investigations. 

Targeting various industries, DragonForce leverages SystemBC, Mimikatz, and Cobalt Strike for persistence, credential harvesting, and lateral movement, along with network scanning tools to facilitate ransomware spread.

The DragonForce ransomware group has launched an affiliate program, offering 80% of the total ransom amount to those who join. The group provides its affiliates with two ransomware variants: a custom-built one and a modified version of LockBit. 

Both variants can bypass EDR/XDR security measures. Affiliates can use a panel to create and configure ransomware samples, targeting specific companies and customizing encryption settings. 

Since the program was first introduced, the organization has experienced significant growth, which presents a potential threat to a great number of organizations.

 the “My Team” section.

The “My Team” section of the DragonForce ransomware group’s affiliate portal allows affiliates to manage their partner advertisers, while the “Add Adver” section provides a platform for creating new advertisers and modifying their access rights. 

According to Group IB, the “Publications” section displays information about victims whose data has been leaked on the affiliate’s dedicated website. 

In the “Constructor” section, affiliates can schedule the publication of victim data in case of non-payment of ransom, and the “Rules” section contains guidelines, contact information, and rules for using the DragonForce ransomware in Russian, as published by the group’s administrators.

 the “Rules” section.

The DragonForce ransomware attack involved a multi-stage process, beginning with initial access via a compromised RDP server, where the attackers leveraged valid credentials to gain unauthorized access and executed PowerShell commands to deploy Cobalt Strike and SystemBC malware. 

Persistence was established using registry keys and compromised accounts, while credential dumping and network scanning were performed to gather sensitive information. 

the ransom note.

Lateral movement was achieved using RDP, and the attackers disabled antivirus and cleared event logs to avoid detection. Ultimately, ransomware was deployed to encrypt files across the network, causing significant disruption to the victim’s operations.

The ransomware sample analyzed is a variant of ContiV3, enhanced with new features like BYOVD and customizability, which encrypts files using RSA-1024 and Salsa20 algorithms, deletes shadow copies, and achieves persistence through scheduled tasks. 

It uses a vulnerable driver to terminate protected processes and performs privilege escalation to execute as SYSTEM, as the sample also includes a network scanner, a backdoor, and a Cobalt Strike payload.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here