The cybercriminal gang DragonForce has launched a series of sophisticated attacks against the manufacturing, real estate, and transportation industries worldwide, utilizing modified versions of the notorious LockBit and Conti ransomware variants. This new wave of cyberattacks, targeting industries in the U.S., U.K., and Australia, was recently uncovered by cybersecurity firm Group-IB.
Modified Ransomware: LockBit and Conti
DragonForce has enhanced its arsenal by using ransomware based on a leaked version of LockBit, as well as a customized variant of Conti ransomware that includes advanced features. This trend of modifying ransomware is becoming more common, with modern cybercriminals repurposing leaked ransomware families to fit their needs. According to Group-IB researchers, DragonForce’s modifications are part of a larger trend where gangs tailor well-known ransomware builders like Conti, Babuk, and LockBit to execute specific, high-value attacks.
Targeting High-Value Victims
Over the past year, Group-IB has tracked DragonForce’s activities, revealing that the group has targeted 82 victims, mostly located in the U.S., followed by the U.K. and Australia. DragonForce operates a ransomware-as-a-service (RaaS) model, where affiliates are carefully chosen from experienced cybercriminals. These affiliates, who retain 80% of the ransom payments, are allowed to customize the ransomware for specific attacks, adjusting encryption settings and personalizing ransom notes to fit their objectives.
The group uses a double extortion technique, where not only is the victim’s data encrypted, but it is also exfiltrated. Victims are then pressured to pay a ransom in exchange for the decryptor, along with a “promise” that the stolen data won’t be released publicly. This tactic significantly increases the pressure on organizations, as a public data breach could lead to severe reputational damage, business disruption, and privacy violations.
Advanced Tools and Techniques
DragonForce’s toolset extends beyond just modified ransomware. In addition to LockBit 3.0 and Conti, the group employs several other malicious tools, including:
- SystemBC, a backdoor used for maintaining persistence in compromised networks.
- Mimikatz, a tool for harvesting credentials.
- Cobalt Strike, a popular penetration testing tool repurposed by cybercriminals for lateral movement within networks.
These advanced techniques, combined with the ability to customize ransomware for each attack, make DragonForce a formidable adversary in the cybersecurity world.
Notable Attacks
DragonForce has previously launched attacks on several high-profile targets, including:
- Yakult Australia, the manufacturer of probiotic milk drinks.
- The Ohio Lottery.
- The Government of Palau.
These attacks demonstrate DragonForce’s willingness to target critical industries and government entities with its potent combination of ransomware and other advanced malware tools.
No Clear Attribution
Although DragonForce has been linked to Malaysia in previous reports, Group-IB has not attributed the attacks to any specific country or individuals in this latest investigation. The group continues to operate from the shadows, using dark web forums to recruit affiliates and promote their ransomware-as-a-service operations.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
