Since its emergence in 2023, DragonForce has rapidly evolved from a ransomware-as-a-service (RaaS) operation into a sophisticated cybercriminal cartel. Initially relying on the LockBit 3.0 builder for developing its encryptors, DragonForce made a significant leap when it adopted the Conti v3 source code, which had been leaked publicly. This move not only enhanced its technical capabilities but also positioned DragonForce as a formidable player in the growing ransomware ecosystem.
By early 2025, DragonForce rebranded itself as a cartel, marking a pivotal shift in its operations and business model. Instead of functioning as a traditional ransomware group, the cartel structure now allows affiliates to white-label its payloads, create their own branded ransomware variants, and operate with greater independence while still using DragonForce’s robust infrastructure and support system.
The Cartel Model – A New Approach to Ransomware
One of the most striking elements of DragonForce’s evolution is its cartel-like structure. By offering affiliates an 80% profit share, the group removes many of the technical barriers to entry that typically hinder smaller operators. This model not only incentivizes the recruitment of new affiliates but also lowers the entry threshold for would-be cybercriminals, expanding the group’s reach and operational footprint.
DragonForce’s cartel infrastructure provides affiliates with everything they need to launch successful ransomware attacks. This includes:
- Automated deployment systems to streamline attacks
- Customizable encryptors that can be tailored to specific targets
- Reliable, 24/7 monitored infrastructure to support operations
- Support for multiple platforms, including Windows, ESXi, Linux, BSD, and NAS systems
This wide-reaching technical infrastructure makes DragonForce’s operations highly scalable and adaptable to different targets across various sectors.
Partnering with Scattered Spider: A Dangerous Duo
DragonForce’s rise is also closely tied to its partnership with Scattered Spider, a financially motivated initial access broker known for its expertise in social engineering and multi-factor authentication (MFA) bypass techniques. Scattered Spider specializes in conducting reconnaissance on employees through social media and open-source intelligence, using this information to craft convincing phishing campaigns and voice phishing attacks.
Once credentials are compromised, Scattered Spider deploys remote monitoring tools like ScreenConnect and AnyDesk to establish persistence on the target network. From there, DragonForce conducts extensive network reconnaissance, with a particular focus on backup infrastructure, credential repositories, and VMware environments, all key targets for maximizing the impact of their ransomware attacks.
Technical Advancements: Stronger, Smarter Malware
What truly sets DragonForce apart from other ransomware operations is its technical sophistication. The group has demonstrated an ability to quickly adapt and improve its tactics in response to emerging threats and vulnerabilities. Notably, after researchers disclosed weaknesses in the Akira ransomware’s encryption methods, DragonForce swiftly improved its own encryption mechanisms to stay ahead of the curve.
DragonForce uses ChaCha20 encryption for its configuration files and generates unique encryption keys for each targeted file, making it harder for defenders to detect or reverse the encryption process. In addition, DragonForce employs multiple encryption modes—full, header, and partial encryption—with configurable thresholds that allow for customizable encryption strategies based on the type of file being targeted.
The Growing Threat of BYOVD Attacks
Another alarming technical advancement employed by DragonForce is the use of BYOVD (Bring Your Own Vulnerable Driver) attacks. This method involves exploiting vulnerable drivers such as truesight.sys and rentdrv2.sys to terminate security software and protected processes. By communicating with these drivers through DeviceIoControl functions using specific control codes, DragonForce is able to bypass endpoint detection and response solutions and maintain a foothold in the target system.
The malware is designed to target specific processes during encryption, including SQL Server instances, Oracle databases, and Microsoft productivity applications. This targeted approach helps maximize the success rate of encryption and ensures that critical systems are impacted.
Widespread Impact: DragonForce’s Growing Reach
Since its inception, DragonForce has impacted over 200 victims across various industries, including retail, airlines, insurance, managed service providers, and large enterprise sectors. One of the most notable attacks attributed to DragonForce and its partner, Scattered Spider, was the Marks & Spencer breach, which showcased the group’s operational effectiveness.
As DragonForce continues to recruit new affiliates, acquire rival infrastructure, and expand its cartel model, it is poised to become an even more dominant force in the world of ransomware.
A Concerning Evolution in Cybercrime
DragonForce’s transformation from a simple ransomware-as-a-service operation to a full-fledged cybercriminal cartel represents a troubling shift in the landscape of cybercrime. The cartel structure not only makes it easier for cybercriminals to enter the ransomware business but also ensures that DragonForce maintains control over its vast network of affiliates and operations.
As the group continues to recruit new talent and refine its tools and tactics, its ability to target high-value entities will only increase. For businesses and organizations, this represents a growing and evolving threat that requires heightened vigilance, stronger cybersecurity defenses, and proactive measures to mitigate the risks posed by these sophisticated ransomware operations.
Add a Comment