Introduction
Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of the MountLocker and Quantum ransomware lines. The group employs strong encryption using ChaCha20 protected by RSA-2048 and appends the .dagoned extension to encrypted files. It provides operators flexibility through command-line options to control encryption behavior, such as skipping logs, deletions, or process termination. Notably, Dagon Locker is frequently distributed via phishing campaigns and as part of Brodin-based initial access chains. It operates under a Ransomware-as-a-Service (RaaS) model, engaging affiliates to launch customized campaigns—particularly targeting organizations in South Korea.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.