The DragonForce group has switched to a ransomware-as-a-service model with automatic registration.
In less than two years, the DragonForce ransomware group has transformed from a little-known project into one of the most aggressive players in the digital blackmail market. Analysts at Cybereason report that the operators aren't simply carrying out attacks, but are building an entire "cartel" model and attempting to unite other gangs around them.
DragonForce emerged in late 2023 and quickly made a name for itself with a series of attacks on large organizations. The criminals employ a two-pronged approach . They not only encrypt company data but also steal confidential files beforehand. If the victim refuses to pay, they promise to release the information to the dark web. Manufacturing companies, construction companies, business service providers, and technology firms have been most frequently targeted. The largest number of incidents have been recorded in the US, UK, Germany, Australia, and Italy.
Experts note that the attackers are offering partners a ready-made "ransomware-as-a-service ." Essentially, it's an attack builder with support for multiple systems, including Windows, Linux, and server virtualization platforms. The suite includes various file encryption modes, startup delay settings, multi-threaded operation, and detailed activity logs. There's even a test mode that allows you to test the attack without actual encryption. Recently, the operators simplified the onboarding of new participants and launched automatic registration without the previous strict checks.
DragonForce also announced a change in strategy. Partners are now allowed to create their own "brands" within the cartel and conduct separate projects using shared infrastructure. At the same time, the group launched an aggressive campaign against competitors. According to Cybereason, it hacked and defaced another gang's leak site and announced the "joining" of the RansomHub group . RansomHub publicly denied this, accusing its rivals of sabotage and ties to intelligence agencies. DragonForce representatives later called on major gangs to agree on operating rules and announced the formation of a coalition with several well-known ransomware companies.
One particular line of activity is particularly revealing. Instead of simply publishing stolen files, the criminals launched a "company data audit" service. Partners are offered analysis of the stolen information, assessments of the victim's business and reputational risks, and even prepared emails and negotiation scripts to pressure management. This effectively amounts to "consulting" for blackmail, indicating the growing organization and professionalization of the criminal underworld.
Technical analysis of the samples revealed similarities with previously leaked ransomware. The malware scans the network, searches for open network services, deletes shadow copies of files via system utilities, thereby depriving the victim of the ability to quickly recover. It also uses mechanisms to bypass security measures and spread across the internal network.
Experts emphasize that DragonForce is rapidly changing its tools and tactics, actively expanding its partner network, and increasing the effectiveness of its attacks. This makes the group a persistent threat to companies across a wide range of industries. Experts recommend paying special attention to system updates, multi-factor authentication, backups, and early detection of suspicious activity within the network.
In less than two years, the DragonForce ransomware group has transformed from a little-known project into one of the most aggressive players in the digital blackmail market. Analysts at Cybereason report that the operators aren't simply carrying out attacks, but are building an entire "cartel" model and attempting to unite other gangs around them.
DragonForce emerged in late 2023 and quickly made a name for itself with a series of attacks on large organizations. The criminals employ a two-pronged approach . They not only encrypt company data but also steal confidential files beforehand. If the victim refuses to pay, they promise to release the information to the dark web. Manufacturing companies, construction companies, business service providers, and technology firms have been most frequently targeted. The largest number of incidents have been recorded in the US, UK, Germany, Australia, and Italy.
Experts note that the attackers are offering partners a ready-made "ransomware-as-a-service ." Essentially, it's an attack builder with support for multiple systems, including Windows, Linux, and server virtualization platforms. The suite includes various file encryption modes, startup delay settings, multi-threaded operation, and detailed activity logs. There's even a test mode that allows you to test the attack without actual encryption. Recently, the operators simplified the onboarding of new participants and launched automatic registration without the previous strict checks.
DragonForce also announced a change in strategy. Partners are now allowed to create their own "brands" within the cartel and conduct separate projects using shared infrastructure. At the same time, the group launched an aggressive campaign against competitors. According to Cybereason, it hacked and defaced another gang's leak site and announced the "joining" of the RansomHub group . RansomHub publicly denied this, accusing its rivals of sabotage and ties to intelligence agencies. DragonForce representatives later called on major gangs to agree on operating rules and announced the formation of a coalition with several well-known ransomware companies.
One particular line of activity is particularly revealing. Instead of simply publishing stolen files, the criminals launched a "company data audit" service. Partners are offered analysis of the stolen information, assessments of the victim's business and reputational risks, and even prepared emails and negotiation scripts to pressure management. This effectively amounts to "consulting" for blackmail, indicating the growing organization and professionalization of the criminal underworld.
Technical analysis of the samples revealed similarities with previously leaked ransomware. The malware scans the network, searches for open network services, deletes shadow copies of files via system utilities, thereby depriving the victim of the ability to quickly recover. It also uses mechanisms to bypass security measures and spread across the internal network.
Experts emphasize that DragonForce is rapidly changing its tools and tactics, actively expanding its partner network, and increasing the effectiveness of its attacks. This makes the group a persistent threat to companies across a wide range of industries. Experts recommend paying special attention to system updates, multi-factor authentication, backups, and early detection of suspicious activity within the network.
