dragonforce (9cd58774-1f45-52dd-9c00-0050151cb093)
Research on the operators of the DragonForce ransomware was conducted, and it was identified that the group emerged around mid-November 2023. They employ the same method as many other ransomware groups, using double extortion in their attacks, i.e., data encryption and extortion for the publication of the attacks.
Initially, according to research, it was identified that another hacktivist group, also named DragonForce and based in Malaysia, conducted several campaigns in 2021 and 2022 against various government organizations and agencies across the Middle East and Asia. Additionally, the hacktivist group announced in 2022 its intention to initiate ransomware attacks. However, due to the limitation and difficulty in obtaining substantial information, no direct link could be established.
The activities of the DragonForce ransomware group were identified in November 2023 through a clandestine forum, where they announced their victims via data leaks.
Some samples related to the DragonForce ransomware group were obtained, and it was concluded that the group uses a binary (ransomware) based on LockBit Black. In other words, this threat group took advantage of the previously leaked builder from another ransomware group, LockBit, and incorporated these samples into their attacks to encrypt data.
The company Cyble published an analysis indicating that the ransomware used by DragonForce has a 99% similarity to the LockBit Black ransomware, suggesting the use of the leaked builder.
It is worth noting that the ransomware performs the entire operational routine, terminating processes, encrypting specific files, and subsequently creating a ransom note for the victim.