DragonForce operates a RaaS model for custom ransomware deployment. Leverages remote access vulnerability exploits for initial intrusion. The group exfiltrates sensitive data prior to encrypting systems. It deploys specialized encryptors for Windows and ESXi environments. Backups are deleted to hinder victim recovery.
Chronology and Evolution
-
Early 2022: The DragonForce group emerged with a focus on exploiting remote access vulnerabilities. This enabled them to compromise corporate networks via known entry points, leading to an initial surge in successful intrusions.
-
Mid-2023: DragonForce began incorporating specific encryption modules for VMware ESXi environments. This evolution allowed them to cripple critical virtualization infrastructures, increasing the impact of their ransomware attacks and pressuring victims for payment.
-
Late 2023: The group launched its dedicated leak site, ‘DragonForceLeaks,’ for double extortion. The site’s creation provided a platform to publish stolen data, intensifying pressure on victims who refused to pay the ransom.
-
Early 2024: DragonForce was observed leveraging credentials purchased from Initial Access Brokers (IABs). This tactic diversified their access vectors, allowing for faster escalation and bypassing traditional perimeter defenses.
Attack Summary
| Phase | Description |
|---|---|
| Initial Access | Gains initial access by exploiting vulnerabilities in edge devices like Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887). |
| Credential Access | The group leverages Mimikatz to dump LSASS and SAM credentials from compromised systems. They also seek credentials within browser configuration files and local databases. |
| Persistence and Evasion | Creates new scheduled tasks via schtasks.exe to execute malicious binaries periodically. Modifies registry keys to maintain payload execution at system startup. |
| Lateral Movement | Lateral movement is achieved using PsExec to execute payloads on remote systems. They also abuse RDP to access other machines using stolen credentials. |
| Exfiltration | Data exfiltration is performed using Rclone to upload large volumes to cloud services like MEGA or S3. They may also employ WinSCP or FileZilla for transfers to attacker-controlled servers. |
| Encryption | Ransomware employs a hybrid AES-256 and RSA-4096 encryption scheme. Files are individually encrypted with an ephemeral AES key, which is then encrypted with the attacker’s RSA public key. |
| Impact and Destruction | Disables shadow volume copies using vssadmin delete shadows /all /quiet. Deletes Veeam backups and backup files directly from servers. |
Initial Access
Gains initial access by exploiting vulnerabilities in edge devices like Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887). Atlassian Confluence exploitation (CVE-2023-22515) is also used to establish a foothold. Password spraying against exposed RDP services and outdated VPNs is a common vector.
Credential Access
Identity compromise is core to DragonForce operations. Threat actors typically perform LSASS dumping via tools like Mimikatz or Procdump, aiming to harvest cached credentials, NTLM hashes, Kerberos tickets, or browser-stored passwords. Active Directory enumeration is also frequently used to identify high-privilege targets.
Command-line abuse with PowerShell facilitates credential harvesting.
Persistence and Evasion
DragonForce prioritizes stealthy persistence via scheduled tasks and the misuse of legitimate RMM tools.
Creates new scheduled tasks via schtasks.exe to execute malicious binaries periodically. Modifies registry keys to maintain payload execution at system startup. New user accounts with local administrative privileges may also be created.
Lateral Movement
DragonForce leverages OS-native lateral movement techniques to minimize footprint and evade agent-based security controls.
Lateral movement is achieved using PsExec to execute payloads on remote systems. They also abuse RDP to access other machines using stolen credentials. SSH access to ESXi hosts is common for virtualization encryptor deployment.
Exfiltration
Data exfiltration is performed using Rclone to upload large volumes to cloud services like MEGA or S3. They may also employ WinSCP or FileZilla for transfers to attacker-controlled servers. Data is often compressed with 7-Zip prior to exfiltration.
Encryption
The DragonForce encryptor implements a multithreaded hybrid model protecting data with symmetric algorithms like AES-256 or ChaCha20, wrapping the per-file key with RSA-2048 or RSA-4096. Depending on the target (Windows, Linux, or VMware ESXi), variants use partial or optimized encryption modes with specialized key exchange protection.
The encryptor targets most user and system files, excluding those critical for booting.
Impact and Destruction
Disables shadow volume copies using vssadmin delete shadows /all /quiet. Deletes Veeam backups and backup files directly from servers. Disables boot recovery with bcdedit /set {default} recoveryenabled No to prevent system restoration.
Victims and Geography
Victims are predominantly concentrated in North America and Western Europe. Attacks have been observed in the United States, Canada, the United Kingdom, Germany, and France. The group selects targets based on their financial viability and the criticality of their operations.
Sources
- BleepingComputer: Ransomware Group Adopts New Tactics
- SentinelOne Labs: Ransomware Attack Trends
- Unit 42: Ransomware Threat Report
- CISA: Ivanti Connect Secure Vulnerabilities Alert
- CrowdStrike Blog: 2024 Global Threat Report
Target Sectors
Sectors in which the DragonForce group has concentrated its attacks.
They seek design blueprints, trade secrets, and production data for extortion. Operations are disrupted to force payment, impacting the supply chain.
Target patient data (PHI) and disruption of vital services to maximize pressure. Access to medical records is highly sensitive and lucrative.
They steal financial data, customer information, and intellectual property for double extortion. Reputational impact is a key factor in their strategy.
They compromise government agencies to access sensitive data and cause disruption to public services. The objective can be both financial and geopolitical.
They attack essential services to cause widespread disruption and pressure for high payments. Disrupting services like energy or water is highly effective.
Detection & Response Rules
Rules ready to import into SentinelOne XDR. Contact us for full access to the updated repository.
Detects execution of tools like Mimikatz dumping LSASS or accessing its memory. The rule identifies processes with access patterns to lsass.exe and memory read operations.
EventType = 'Process Creation' AND TgtProcName = 'lsass.exe' AND DllLoad ContainsCIS ('dbghelp.dll', 'secur32.dll') OR (EventType = 'Process Access' AND DstProcName = 'lsass.exe' AND AccessMode = 'Read')Identifies the execution of 'vssadmin.exe' with arguments for deleting shadow copy volumes. This indicates an attempt to prevent data recovery by the victim.
EventType = 'Process Creation' AND TgtProcName = 'vssadmin.exe' AND TgtProcCmdLine ContainsCIS 'delete shadows /all /quiet'Detects the execution of the 'rclone.exe' binary with parameters associated with syncing or copying data to remote destinations. The rule looks for cloud service usage patterns.
EventType = 'Process Creation' AND TgtProcName = 'rclone.exe' AND TgtProcCmdLine ContainsCIS ('sync', 'copy', 'drive', 'mega', 's3')Identifies the creation of new scheduled tasks with unusual names or actions. Tasks can be for ransomware persistence or remote access tools.
EventType = 'Registry Key Create' AND RegistryKeyPath ContainsCIS '\Tasks\' AND ProcessName = 'schtasks.exe' AND RegistryKeyPath DoesNotContain 'Microsoft\Windows'Detects RDP connection attempts to internal systems from unusual external IP addresses. This may indicate initial compromise via exposed RDP.
EventType = 'Network Connection' AND NetworkAction = 'Accepted' AND TgtPort = 3389 AND DstIp IsExternal AND DstIp NotIn ('Trusted_IPs_List')Detects PowerShell or registry commands to disable Microsoft Defender components. Attackers attempt to neutralize endpoint defenses before encryption.
EventType = 'Process Creation' AND TgtProcName = 'powershell.exe' AND TgtProcCmdLine ContainsCIS ('Set-MpPreference', 'DisableAntiSpyware', 'DisableRealtimeMonitoring', 'Add-MpPreference -ExclusionPath') OR (EventType = 'Registry Key Set' AND RegistryKeyPath ContainsCIS 'SOFTWARE\Policies\Microsoft\Windows Defender' AND RegistryKeyName ContainsCIS 'DisableAntiSpyware')