Cyberdudebivash

DragonForce (aka “DragonForce Ransomware Cartel”) — Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence — updated Aug 31, 2025

Executive summary

DragonForce is a fast-rising RaaS/cartel that blends profit-driven ransomware with hacktivist-style optics. In Mar–Apr 2025 it rebranded as a “cartel,” rolled out white-label branding and RansomBay leak portals (affiliates can hide the DragonForce name), and moved to absorb orphaned affiliates—including a public takeover of RansomHub’s infrastructure—fueling a wave of high-impact attacks (notably against UK retail). Sophos NewsCheck Point BlogTrend Micro

Who/what is DragonForce (model, scale, positioning)

  • RaaS → “Cartel” shift (Mar 19, 2025): affiliates can run their own brands on DragonForce infra; DF takes ~20% cutSophos NewsCheck Point Blog
  • RansomHub saga (Mar–Apr 2025): RansomHub’s site went dark Mar 31; DF commandeered infra and announced RH had “joined the cartel” on Apr 8 (RH now considered inactive). Trend Micro
  • Turf war + retail focus: 2025 campaigns hit UK retailers (e.g., M&S, Co-op, Harrods) and DF publicly sparred with rival crews—defacing leak sites and courting affiliates. Sophos NewsBarrcuda Blog

Tooling & payloads (what runs on your endpoints)

  • Code pedigree: early lockers built from LockBit 3.0 builder; newer line borrows from Conti v3 with upgrades (e.g., BYOVD defenses-kill). Group-IB
  • Crypto: variants observed using AES+RSA or ChaCha/Salsa family for speed; Windows, Linux, ESXi & NAS builds available to affiliates with rich CLI switches (delay, threads, ESXi VM handling, allow/deny lists). SentinelOne
  • Branding/portals: optional white-label skins; RansomBay leak portals host affiliate data; DF advertises 80/20 affiliate split. SentinelOneCheck Point Blog
  • File markers: extensions are custom per campaign; seen in the wild include “.dragonforce_encrypted” and the “.DEVMAN” variant line. Don’t key on one string. MicrosoftBroadcom

Tactics, techniques & procedures (MITRE ATT&CK)

Initial access — TA0001

  • Social engineering / help-desk phishing and use of stolen creds; heavy RDP focus. Sophos News
  • Opportunistic edge exploitation: Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887/21893), Log4Shell, and Windows SmartScreen bypass (CVE-2024-21412). SentinelOne

Execution / Persistence / Priv-Esc — TA0002/TA0003/TA0004

  • Cobalt StrikeSystemBC backdoor, credential dumping, and BYOVD to kill EDR. Group-IB

Discovery & Lateral movement — TA0007/TA0008

  • SoftPerfect/Advanced IP ScannerPingCastlePsExec/SSH to push lockers across Windows/ESXi. Group-IB

Exfiltration & Command and control — TA0010/TA0011

  • MEGASFTP/WebDAV; DF runs Tor-based victim portals (RansomBay et al.). SentinelOne

Impact — TA0040

  • Multi-extortion: data theft + encryption; affiliate-tuned service kills, VSS deletion, event-log clearing. Group-IB

What changed in 2025 (why defenders should care)

  • Cartelization & white-label: lowers barriers for affiliates and hides attribution, increasing attack noise. SentinelOneCheck Point Blog
  • RansomHub takeover & turf wars: ecosystem instability → overlapping/extortion-on-extortion risks for victims. Trend MicroSophos News
  • Retail + industrial interest: DF campaigns impacted UK retail; multiple sources track industrial victims too. Sophos NewsBarrcuda Blog

Hunt & detect — quick wins you can deploy today

Identity/edge

  • Alert on new VPN logins from unusual geos; watch for Ivanti ICS exploit chains (46805/21887/21893) and SmartScreen 21412 artifacts. Enforce FIDO2/WebAuthn MFA for VPN/RDP/help-desk. SentinelOne

Endpoint/EDR

  • Sequence analytics: VSS deletions → service/process kills → event-log clears → high-volume writes within minutes.
  • Flag SystemBC beaconsCobalt Strike; block unapproved RMM installs. Group-IB

Network

  • New SFTP/MEGA/WebDAV egress from servers; sudden SMB/PsExec bursts; Tor bootstrap from non-admin subnets. SentinelOne

ESXi

  • Monitor for vim-cmd enumeration, mass VM stop, and SSH enablement from vCenter scripts. SentinelOne

Mitigation priorities (that actually cut risk)

  1. Patch/harden the edge first: Ivanti Connect Secure, internet-exposed RDP/Citrix; shrink attack surface with geo/IP allowlists. SentinelOne
  2. Phishing-resistant MFA everywhere plus strict help-desk verification (voice-phish is common in these crews). Sophos News
  3. Control RMM/tunnels: inventory & default-deny AnyDesk, ScreenConnect, etc.; alert on installs/first use. Sophos News
  4. Backups & recovery: offline/immutable, tested restores; stage restore networks; practice double-extortion comms. Check Point Blog
  5. EDR hardening: block BYOVD loaders; enforce kernel-mode driver allowlisting; monitor for SystemBC persistence keys. Group-IB

Rapid response playbook (print-friendly)

  1. Contain: isolate compromised users/hosts; disable suspicious VPN sessions; block Tor and MEGA at egress.
  2. Preserve: pull Ivanti/RDP/VPN logs, AD, EDR, hypervisor telemetry; snapshot affected VMs.
  3. Hunt: look for DF behaviors above; search for RansomBay case IDs and DF Tox IDs in notes/portals. SentinelOne
  4. Eradicate: patch edge; rotate creds (admins, VPN, service accts); remove persistence (scheduled tasks, drivers, tunnels).
  5. Recover: staged restore; throttle egress; verify with canary files.
  6. Notify: regulators & law enforcement; coordinate legal/PR for potential data-leak pressure.

Indicators & reference artifacts (sample, not exhaustive)

  • Portals (Tor) and Tox IDs published in open reporting for DF/RansomBay operations; incorporate in intel feeds for blocking/hunt. SentinelOne
  • Extensions observed: “*.dragonforce_encrypted”“.DEVMAN”, plus campaign-specific strings; treat extension as low-fidelity IOC. MicrosoftBroadcom

Sources / further reading

  • SentinelOne (May 2, 2025): payload lineage (LockBit → Conti), CLI options, SystemBC, white-label & RansomBay. SentinelOne
  • Check Point (May 6, 2025): 20% cut, white-label kits, affiliate absorption post-RansomHub. Check Point Blog
  • Trend Micro (Dec 20, 2024 → updated 2025): RansomHub takeover timeline (Mar 31–Apr 8, 2025). Trend Micro
  • Sophos (May 21, 2025): cartel rebrand, rival defacements, UK retail campaign; Scattered Spider/GOLD HARVEST links. Sophos News
  • Group-IB (Sep 25, 2024): two DF variants, BYOVD, crypto details, SystemBC/Cobalt Strike usage. Group-IB
  • Microsoft & Broadcom (2025): observed extensions “.dragonforce_encrypted” and “.DEVMAN” variant. MicrosoftBroadcom

#CyberDudeBivash #DragonForce #Ransomware #RaaS #RansomBay #DoubleExtortion #Ivanti #BYOVD #ESXi #MITREATTACK #DFIR #ThreatIntel

Leave a comment

Design a site like this with WordPress.com
Get started