DragonForce Ransomware Group

Also known as: DragonForce Ransomware Group

DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program using two ransomware variants: LockBit 3.0 and a modified ContiV3. The group uses double extortion tactics, encrypting data and threatening to leak it unless paid. Launched in June 2024, the program offers affiliates 80% of ransoms and tools to manage attacks. Affiliates can customize ransomware, disable security, and set encryption parameters. DragonForce employs the BYOVD technique to disable security processes and erases Windows logs to hinder investigations.[Group-IB DragonForce September 25 2024]

Introduction

DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program using two ransomware variants: LockBit 3.0 and a modified ContiV3. The group uses double extortion tactics, encrypting data and threatening to leak it unless paid. Launched in June 2024, the program offers affiliates 80% of ransoms and tools to manage attacks. Affiliates can customize ransomware, disable security, and set encryption parameters. DragonForce employs the BYOVD technique to disable security processes and erases Windows logs to hinder investigations.[Group-IB DragonForce September 25 2024]

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Windows Remote Desktop:

Attribution and Evidence

Information pending cataloguing.

References

[1] [Group-IB DragonForce September 25 2024