{ "id": "98688f87-1c7c-4105-b780-0ee75f8a3e3e", "created_at": "2026-04-06T00:10:04.975519Z", "updated_at": "2026-04-10T03:26:36.630112Z", "deleted_at": null, "sha1_hash": "3f024a708a84948aad8f1c53ae3ca56425e2ccac", "title": "LockBit Black \u0026 DragonForce: Unraveling the Link", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 967647, "plain_text": "LockBit Black \u0026 DragonForce: Unraveling the Link\r\nBy cybleinc\r\nPublished: 2024-04-24 · Archived: 2026-04-05 20:38:29 UTC\r\nCRIL investigates DragonForce Ransomware and its links to a leaked LOCKBIT Builder.\r\nKey Takeaways\r\nCyble Research \u0026 Intelligence Labs (CRIL) identified a DragonForce ransomware binary based on\r\nLOCKBIT Black ransomware, suggesting the threat actors behind DragonForce used a leaked builder of\r\nLOCKBIT Black ransomware to generate their binary. \r\nIn September 2022, an X (Twitter) user shared the download link for the LockBit ransomware builder, which\r\nallows threat actors to customize ransomware payloads according to their preferences. \r\nA comparison between binaries generated using the Leaked Builder of LOCKBIT ransomware and\r\nDragonForce ransomware revealed significant similarities, indicating the DragonForce ransomware binary\r\nwas likely created using the leaked builder of LOCKBIT ransomware. \r\nDragonForce ransomware surfaced in November 2023. It utilizes double extortion tactics to target victims,\r\nexfiltrating data before encryption and subsequently leaking the data if ransom demands are not met. \r\nThere’s also a hacktivist group called DragonForce, based in Malaysia, which claimed to launch their\r\nransomware in 2022. However, it remains unclear whether the group’s announced intentions to launch\r\nransomware are connected to the discovered DragonForce ransomware. \r\nDragonForce ransomware operations began in November 2023 with the public disclosure of victim details on\r\na cybercrime forum and their leak site. To date, they have disclosed information about more than 25 victims\r\nworldwide. \r\nOverview\r\nDragonForce Ransomware emerged in November 2023. This group employs double extortion to target its victims,\r\ninvolving data exfiltration followed by encryption. If the victim fails to pay the ransom, the Threat Actors (TAs)\r\nbehind this ransomware group leak the victim’s data on their leak site. The figure below shows the DragonForce\r\nransomware leak site.   \r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 1 of 8\n\nFigure 1 – DragonForce Leak Site \r\nThere is also a hacktivist group called DragonForce based in Malaysia. During 2021 and 2022, they conducted\r\nvarious campaigns targeting government agencies and organizations across the Middle East and Asia. Additionally,\r\nin 2022, the group announced its intention to launch ransomware. However, due to limited information, it is\r\nchallenging to determine whether the ransomware discovered is connected to this hacktivist group. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nDragonForce ransomware began extorting their victims in November 2023 by publishing victim details and their\r\nleak site URL on a cybercrime forum. This move was likely aimed at increasing the visibility of their attacks, as only\r\na handful of ransomware groups utilize cybercrime forums for extortion. So far, DragonForce has publicly disclosed\r\ninformation about over 25 victims worldwide. The figure below shows the post on a cybercrime forum.  \r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 2 of 8\n\nFigure 2 – Post on Cybercrime Forum \r\nThe figure below shows the tor site used for leaking victim’s data. \r\nFigure 3 – DragonForce data leak site \r\nCRIL recently found a DragonForce ransomware binary, which was based on LOCKBIT Black ransomware.\r\nLOCKBIT Black is a third variant of LOCKBIT ransomware, and we believe that the TAs behind the DragonForce\r\nransomware leveraged the leaked builder of LOCKBIT Black ransomware to generate their binary. The figure below\r\nshows the leaked builder of LOCKBIT ransomware.  \r\nFigure 4 – Post Regarding Leaked LOCKBIT Builder (Source: Cyble) \r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 3 of 8\n\nOn September 2022, a user on X (Twitter) shared the download link of the LockBit ransomware builder. By using\r\nthis builder, TA can customize the ransomware payload as per their requirements. This builder includes a\r\n“config.json” file to customize the payload according to the TA’s preferences, allowing for features like encryption\r\nmode, filename encryption, impersonation, exclusion of specific files and folders from encryption, and language-based exclusion of CIS countries. The configuration file also contains a ransom note template. \r\nFigure 5 – Config.json file of LockBit \r\nTechnical Analysis\r\nOur comparison between a binary generated using the Leaked Builder of LOCKBIT ransomware and DragonForce\r\nransomware revealed striking similarities in the code structure and functions. This observation strongly suggests that\r\nthe DragonForce ransomware binary was likely created utilizing the leaked builder of LOCKBIT ransomware. The\r\nfigure below shows the BinDiff results.  \r\nFigure 6 – BinDiff Analysis\r\nUpon execution, the ransomware terminates the following processes to allocate system resources for faster\r\nencryption. \r\noracle  tbirdconfig  powerpnt \r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 4 of 8\n\nocssd  mydesktopqos  steam \r\ndbsnmp  ocomm  thebat \r\nsynctime  dbeng50  thunderbird \r\nagntsvc  sqbcoreservice  visio \r\nisqlplussvc  excel  winword \r\nxfssvccon  infopath  wordpad \r\nmydesktopservice  msaccess  notepad \r\nocautoupds  mspub  calc \r\nencsvc  onenote  wuauclt \r\nfirefox  outlook  onedrive \r\nThe ransomware also terminates the following services. \r\nmemtas  sophos  GxVss  GxCVD \r\nmepocs  veeam  GxBlr  GxCIMgr \r\nmsexchange  backup  GxFWD  NegoExtender \r\nFollowing encryption, the ransomware binary renames the files using a random string followed by “.AoVOpni2N” as\r\nthe extension. The figure below displays the encrypted files.  \r\nFigure 7 – Encrypted Files\r\nThen, it drops a ransom note named “AoVOpni2N.README.txt” in each directory it parses. The figure below\r\ndisplays the ransom note.  \r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 5 of 8\n\nFigure 8 – Ransom Note\r\nA complete analysis of LOCKBIT 3.0 can be found here. \r\nConclusion\r\nThe discovery of DragonForce ransomware and its links to the leaked builder of LOCKBIT Black ransomware\r\nunderscores the growing threat posed by the abuse of leaked malware-building tools in cyberattacks. The\r\naccessibility of such tools enables TAs to customize and deploy ransomware payloads with ease, amplifying the risk\r\nlandscape for organizations globally. The emergence of DragonForce ransomware, coupled with its utilization of\r\ndouble extortion tactics, highlights the evolving tactics employed by ransomware actors to maximize their impact\r\nand financial gain. \r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nSafety Measures Needed to Prevent Ransomware Attacks \r\nDo not open untrusted links and email attachments without first verifying their authenticity. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nUsers Should Take the Following Steps After a Ransomware Attack \r\nDisconnect infected devices on the compromised network. \r\nDisconnect external storage devices if connected. \r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 6 of 8\n\nInspect system logs to check for suspicious events. \r\nImpact of Ransomware \r\nLoss of valuable data. \r\nLoss of the organization’s reputation and integrity. \r\nLoss of the organization’s sensitive business information. \r\nDisruption in organization operation. \r\nFinancial loss. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique  Procedure \r\nExecution T1204.002 (User Execution) Malicious file.\r\nDefense\r\nEvasion \r\nT1562.001 (Impair Defenses:\r\nDisable or Modify Tools) \r\nRansomware disables Windows\r\nDefender. \r\nDefense\r\nEvasion \r\nT1070.004 (Indicator Removal:\r\nFile Deletion) \r\nRansomware deletes itself after\r\nexecution.  \r\nDiscovery \r\nT1083 (File and Directory\r\nDiscovery) \r\nRansomware enumerates folders for file\r\nencryption and file deletion. \r\nImpact \r\nT1486 (Data Encrypted for\r\nImpact) \r\nRansomware encrypts the data for\r\nextortion. \r\nIndicators of Compromise (IOCs) \r\n Indicators \r\nIndicator\r\nType \r\nDescription \r\nd54bae930b038950c2947f5397c13f84\r\ne164bbaf848fa5d46fa42f62402a1c55330ef562 \r\n1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b \r\nMD5 \r\nSHA1 \r\nSHA256 \r\nDragonForce\r\nRansomware \r\n YARA Rule\r\nrule DragonForce{\r\nmeta:\r\n author = \"Cyble Research and Intelligence Labs\"\r\n description = \"Detects DragonForce Ransomware Memory Strings\"\r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 7 of 8\n\ndate = \"2024-04-24\"\r\n os = \"Windows\"\r\nstrings:\r\n $a1 = \".onion\" nocase ascii wide\r\n $a2 = \"Client area\" nocase ascii wide\r\n $a3 = \"shadowcopy\" nocase ascii wide\r\n $a4 = \"DO NOT DELETE readme\" nocase ascii wide\r\n $a5 = \"encrypted with a strong algorithm\" nocase ascii wide\r\ncondition:\r\n all of them\r\n}\r\nReferences \r\nhttps://www.radware.com/security/ddos-knowledge-center/ddospedia/dragonforce-malaysia/ \r\nhttps://cyble.com/blog/alleged-builder-of-lockbit-black-ransomware-leaked/  \r\nhttps://cyble.com/blog/lockbit-3-0-ransomware-group-launches-new-version/ \r\nSource: https://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nhttps://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/" ], "report_names": [ "lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection" ], "threat_actors": [ { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434204, "ts_updated_at": 1775791596, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f024a708a84948aad8f1c53ae3ca56425e2ccac.pdf", "text": "https://archive.orkl.eu/3f024a708a84948aad8f1c53ae3ca56425e2ccac.txt", "img": "https://archive.orkl.eu/3f024a708a84948aad8f1c53ae3ca56425e2ccac.jpg" } }