{
	"id": "ada6bd9d-da4c-4f77-af26-785e7586e807",
	"created_at": "2026-04-06T00:17:02.118385Z",
	"updated_at": "2026-04-10T13:12:23.255522Z",
	"deleted_at": null,
	"sha1_hash": "64f9829c09b2bf58ac7b7f43851ae7a2ece1bc48",
	"title": "DragonForce Ransomware Group | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 864595,
	"plain_text": "Inside the Dragon: DragonForce\r\nRansomware Group\r\nIn this blog, we look at the DragonForce ransomware group, which poses a severe threat with two\r\nvariants—a LockBit fork and a customized Conti fork with advanced features and SystemBC\r\nmalware.\r\nSeptember 25, 2024 · min to read · Ransomware\r\n← Blog\r\nNikolay Kichatov\r\nCyber Intelligence Analyst, Group-IB (APAC)\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 1 of 40\n\nConti DragonForce LockBit Ransomware\r\nIntroduction\r\nIn light of the escalating frequency and complexity of ransomware attacks, are security leaders\r\nconfident in their organization’s defenses? According to Group-IB’s Hi-Tech Crime Trends\r\n2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key\r\ntrends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the\r\nproliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.\r\nFurthermore, the evolution of ransomware variants is outpacing the advancements in cyber\r\ndefence, leaving organizations unprepared for the threats on the horizon. To stay ahead,\r\nbusinesses must stay updated on the most pressing cybersecurity threats, and prominent threat\r\nactors that have recently emerged and continue to pose significant risks this year and in the future.\r\nIn this blog, we delve into the inner workings of the DragonForce ransomware group. Discovered\r\nin August 2023, DragonForce has been targeting companies in critical sectors using a variant of a\r\nleaked LockBit3.0 builder, and more recently in July 2024 with their own variant of ransomware.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 2 of 40\n\nKey discoveries in this blog\r\nDragonForce Ransomware Overview and Tactics: DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program utilizing a variant of LockBit3.0, and the other, though initially\r\nclaimed as original, is based on ContiV3. The group employs double extortion tactics, encrypting\r\ndata, and threatening leaks unless a ransom is paid.\r\nAffiliate Program and Customizable Ransomware: The affiliate program, launched on 26\r\nJune 2024, offers 80% of the ransom to affiliates, along with tools for attack management and\r\nautomation. Affiliates can create customized ransomware samples, including disabling security\r\nfeatures, setting encryption parameters, and personalizing ransom notes.\r\nSecurity Bypass Techniques and Defense Evasion: DragonForce uses the “Bring Your Own\r\nVulnerable Driver” (BYOVD) technique, included in their Conti variant of ransomware, to disable\r\nsecurity processes and evade detection. Additionally, they clear Windows Event Logs post-encryption to hinder forensic investigations and obscure their tracks.\r\nTargeted Industries and Ransomware Payload Analysis: Between August 2023 and August\r\n2024, DragonForce targeted 82 victims across various industries, focusing on Manufacturing,\r\nReal Estate, and Transportation industries. The ransomware payload features advanced\r\nencryption techniques and anti-analysis countermeasures.\r\nSystemBC, Cobalt Strike, and Network Reconnaissance: The DragonForce ransomware\r\ngroup utilizes the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential\r\nharvesting, and Cobalt Strike for lateral movement. The group also uses network scanning tools\r\nlike SoftPerfect Network Scanner to map networks and facilitate the spread of ransomware.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 3 of 40\n\nWhat is DragonForce Ransomware?\r\nDragonForce is a Ransomware-as-a-Service (RaaS) affiliate program that now uses 2 versions of\r\nransomware to target its victims. Many DragonForce ransomware attacks are customized to each\r\nvictim to maximize its impact. To do this, the threat actors can leverage tactics such as changing the\r\nfilename extensions of encrypted files, and terminating specific processes and services. Its\r\nransomware builder allows affiliates the capability to specify exactly which processes the\r\nransomware should terminate, to ensure the successful encryption of all important data on the\r\nvictim’s devices.\r\nBased on the observations by Group-IB’s Threat Intelligence analysts, DragonForce advertises their\r\nransomware on the dark web. It has a proprietary DLS that contains unique company IDs and\r\nleaked account details.\r\nThe operators of DragonForce utilize a double extortion technique, where they exfiltrate a victim’s\r\nsensitive data in addition to encrypting it. They then demand ransom payment from their victims in\r\nreturn for a decryptor, and the “promise” that their stolen data will not be released.. This dual-pronged approach of losing both access to their data as well as having their confidential\r\ninformation exposed adds significant pressure on the victim to comply with the attackers’ demands\r\nas there might be potential damage to their reputation, privacy, or business continuity if their data is\r\nmade public.\r\nFrom August 2023 to August 2024, DragonForce ransomware listed a total of 82 victims on their\r\nDark Web site. Of these, 43 attacks occurred in the United States, making up 52.4% of the incidents.\r\nOther significant targets included the United Kingdom with 10 attacks (12.2%) and Australia with 5\r\nattacks (6%).\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 4 of 40\n\nFigure 1. Heatmap of targeted countries by DragonForce ransomware and its affiliates.\r\nThe manufacturing industry was the most targeted, with 12 attacks accounting for 14.6% of the\r\ntotal incidents. The Real Estate sector followed as the second most attacked, experiencing 11\r\nincidents, which represents 13.4% of the total. The third most affected industry was Transportation,\r\nwith 10 attacks, making up 12.2% of the total.\r\nFigure 2. Number of attacks on industries by DragonForce and its affiliates.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 5 of 40\n\nInside the belly of the beast\r\nOn 26 June 2024, a user with the handle “dragonforce” started promoting an affiliate program of\r\nthe DragonForce Ransomware on the underground forum “RAMP”, which contained information on\r\nhow its affiliates can earn 80% of the total ransom amount, as well as key features of its ransomware\r\nincluding client tracking, automated file delivery, secure access control, and support for extended\r\ndetection and response (XDR) / endpoint detection and response (EDR) bypass, encryption, and\r\nSYSTEM impersonation, adding that comprehensive support services are also available to their\r\naffiliates.\r\nFigure 3: Screenshot of a post by DragonForce promoting\r\nits ransomware-as-a-service on the RAMP forum.\r\nThe following is a translation of the post made by DragonForce on\r\n26 June, 2024: arrow_drop_down\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 6 of 40\n\nFigure 4. Screenshot of the user profile ‘dragonforce’ on the RAMP forum.\r\nOn July 4, DragonForce announced on the RAMP forum that they now only accept affiliates who\r\nhave pre-acquired access, complete proof of their access, and have already exfiltrated victim data.\r\nFigure 5. Screenshot of DragonForce’s post dated 4 July 2024.\r\nThe DragonForce affiliate program officially began on June 26, 2024. Before launching this\r\nprogram, the group operated with their own team, conducting attacks independently. The\r\nintroduction of the affiliate program allows other cybercriminals to join forces, significantly\r\nexpanding the group’s reach and potentially leading to a surge in ransomware infections.\r\nIn a private conversation on Tox, Group-IB’s Threat Intelligence specialists obtained the following\r\ninformation from the attacker:\r\nThe following is a translation of the post made by DragonForce on\r\n4 July, 2024: arrow_drop_down\r\nEach affiliate has a unique .onion address, and a new profile needs to be created for each team\r\nmember to grant them their own access.\r\nThe affiliates have two ransomware variants for Windows: one of their own creation, and a\r\nvariant of LockBit that allows individuals coming from LockBit to adapt quickly. According to\r\nDragonForce, their ransomware can bypass XDR and EDR.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 7 of 40\n\nDuring the course of our research, Group-IB’s Threat Intelligence specialists were able to obtain\r\naccess to DragonForce’ panel.\r\nThe Affiliates’ panel of DragonForce ransomware group has the following sections:\r\nClients\r\nThe “Clients” section contains information about the companies attacked (victims), and includes\r\ndetails such as the amount of the ransom, status of ransom, creator of the builder, ID of the client,\r\nDLS, size of the leak, clients’ status step (paid, or negotiation in the process), last seen, and if the\r\nleak has been published.\r\nClients\r\nBuilder\r\nMy Team\r\nAdd Adver\r\nPublications\r\nConstructor\r\nRules\r\nBlog\r\nProfile\r\nFigure 6.1. A screenshot of the DragonForce login panel\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 8 of 40\n\nFigure 7. A screenshot of the “clients” section of the DragonForce affiliates’ panel\r\nBuilder\r\nThis section allows affiliates to build samples of the DragonForce ransomware with different\r\nconfigurations.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 9 of 40\n\nFigure 8. Screenshot of the LockBit version of the DragonForce ransomware.\r\nWith the LockBit version of the DragonForce ransomware, affiliates can configure the following\r\nparameters:\r\nThe screenshots below demonstrate that the ransomware configuration provides options to either\r\nencrypt the entire corporate network or specific folders on the device. It also allows selecting a\r\ndriver to terminate EDR/XDR processes (Rentdrv or Truesight).\r\nURL of the company\r\nRevenue\r\nComment\r\nTest decryption (enable or disable)\r\nTime range for ransom payment and use of the test decryptor.\r\nPercentage of encryption\r\nImpersonation (enable or disable)\r\nEncrypt shares (enable or disable)\r\nSkip hidden folders (enable or disable)\r\nKill services (enable or disable)\r\nExcluded files\r\nExcluded folders\r\nExcluded extensions\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 10 of 40\n\nAs for the “original” version of the DragonForce ransomware, when an affiliate creates a builder,\r\nthey set up a “client” page for the victim and can configure a DragonForce ransomware sample.\r\nThey have the option to choose between the LockBit version or the original DragonForce sample,\r\nwhich is capable of terminating EDR/XDR processes.\r\nWith this version, affiliates can configure the following parameters:\r\nAfter creating a new client, the affiliate can download samples related to the specific client. If a\r\nsample of the “original” DragonForce ransomware is selected, a set of samples for both Windows\r\nand ESXi will be downloaded.\r\nURL of the company\r\nRevenue\r\nComment\r\nTest decryption (enable or disable)\r\nTime range for ransom payment and use of the test decryptor.\r\nEncrypt whole system + Network or only Local Path\r\nPercentage of encryption\r\nExtension for encrypted files\r\nChoice of driver to terminate EDR/XDR processes\r\nName of ransom note\r\nExcluded files\r\nExcluded folders\r\nExcluded extensions\r\nExcluded shares\r\nFigure 9. The “original” (based on ContiV3) version of the DragonForce ransomware.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 11 of 40\n\nThe “original” version of the DragonForce ransomware offers greater customization options. It\r\nallows affiliates to encrypt either the entire system and corporate network or just specific local\r\npaths. Affiliates can also choose the file extension for encrypted files, select a driver to terminate\r\nEDR/XDR processes, and configure the name of the ransom note.\r\nMy Team\r\nWithin the “My Team” section contains an interface viewing advertisers (partners) related to the\r\naffiliate.\r\nFigure 10. A screenshot of the “My Team” section.\r\nAdd Adver\r\nThe “Add Adver” section contains an interface for creating advertisers for the affiliate (adding\r\npartners), and editing access rights.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 12 of 40\n\nFigure 11. A screenshot of the “Add Adver” section.\r\nPublications\r\nThe “Publications” section contains information about data of victims that have been published on\r\nthe dedicated leaks site by an affiliate of DragonForce.\r\nFigure 12. A screenshot of the “Publications” section.\r\nConstructor\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 13 of 40\n\nWithin the “Constructor” section, affiliates can schedule a date for publishing victims’ data, in the\r\nevent that the victims choosenot to pay the ransom.\r\nFigure 13. A screenshot of the “Constructor” section.\r\nRules\r\nIn the “Rules” section, the administrators of the DragonForce ransomware group publish their rules,\r\nguides, and contacts relating to the use of the DragonForce ransomware in Russian.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 14 of 40\n\nFigure 14. A screenshot of the “Rules” section.\r\nThe following is the original text of the “Rules” within the section,\r\nin English: arrow_drop_down\r\nFigure 15. A screenshot of the “Rules” within the section.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 15 of 40\n\nFigure 17. A screenshot of the “Contacts”.\r\nBlog\r\nWithin the “Blog” section contain links to the Dedicated Leaks Site (DLS) of DragonForce\r\nransomware:\r\nhxxp://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion\r\nThe following is the original text of the “Guides” within the\r\nsection, in English: arrow_drop_down\r\nThe following is the original text of the “Contacts” within the\r\nsection, in English arrow_drop_down\r\nFigure 16. A screenshot of the “Guides” within the section.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 16 of 40\n\nFigure 18. A screenshot of the “DLS” of the DragonForce ransomware.\r\nProfile\r\nThe “Profile” section contains information about the affiliate, their authentication history, as well as\r\nfunctions to change passwords, log out, and to check their unique onion page.\r\nFigure 19. A screenshot of the “Profile” section of the DragonForce ransomware.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 17 of 40\n\nTactics, Techniques, and Procedures (TTPs)\r\nIn 2023, Group-IB’s Digital Forensics and Incident Response (DFIR) team responded to an incident,\r\nand can now reveal the impact of the DragonForce ransomware by analyzing the attacker’s tactics,\r\ntechniques, and procedures (TTPs) from initial access via a public facing web application server.\r\nIncident Response Case: September DragonForce Attack\r\nInitial Access\r\nT1078 Valid Accounts\r\nDuring the course of the investigation, Group-IB’s DFIR analysts identified the initial access to the\r\ntarget network through a public-facing remote desktop server. Suspicious login activity was\r\nobserved involving three different IP addresses using valid domain accounts. These accounts were\r\nused to gain unauthorized access in September 2023.\r\nDate and time of first sighting:\r\nTimestamp Source IP Address\r\n2023-09-21 20:11:08 2[.]147[.]68[.]96\r\n2023-09-21 20:40:24 185[.]59[.]221[.]75\r\n2023-09-21 22:34:47 69[.]4[.]234[.]20\r\n2023-09-22 16:22:56 69[.]4[.]234[.]20\r\nExecution\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nBased on the data collected, Group-IB’s DFIR analysts found that PowerShell commands were\r\nexecuted on several hosts within the network. The purpose of these commands was to remotely\r\ndownload and execute a malicious payload, which was later identified as a Cobalt Strike beacon.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 18 of 40\n\nFigure 20: Snippet of the Remote Download of Cobalt Strike Beacon.\r\nPersistence\r\nT1078.002 Valid Accounts: Domain Accounts\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1543.003 Create or Modify System Process: Windows Service\r\nThey also identified compromised accounts that were used by the threat actor to maintain\r\npersistence, and move laterally within the organization. The SystemBC malware was found to create\r\na registry key under “Software\\Microsoft\\Windows\\CurrentVersion\\Run” with the name “socks5” to\r\nensure persistence. Two additional hosts were also found to be infected with SystemBC, although\r\nfurther data was unavailable for analysis.\r\nFigure 21: Windows Defender event log quarantine of Cobalt Strike.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 19 of 40\n\nFigures 22 \u0026 23: Attempted service installation on the system.\r\nDefense Evasion\r\nT1070.001 Indicator Removal: Clear Windows Event Logs\r\nThe ransomware executable “df.exe” was found to have the capability to clear Windows Event Logs\r\nafter completing its encryption tasks. This action is likely intended to hinder forensic investigation\r\npost-attack.\r\nFigure 24: Sample of logs cleared identified in the target network.\r\nCredential Access\r\nT1003.001 OS Credential Dumping: LSASS Memory\r\nGroup-IB’s DFIR analysts identified that the threat actor executed Mimikatz, a credential dumping\r\ntool, on four different hosts. The execution of Mimikatz resulted in the creation of a file named\r\n“123.txt,” which contained clear text credentials of the compromised users.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 20 of 40\n\nDiscovery\r\nT1482 Domain Trust Discovery\r\nT1018 Remote System Discovery\r\nT1016 System Network Configuration Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nOn one host, a compromised user executed the ADFind tool, saving the results in a file named\r\n“AD_subnet.txt.” This execution indicates that the attacker was gathering information about the\r\nnetwork’s Active Directory. Additionally, on two other hosts, the network scanner tool\r\n“netscanold.exe” was found to have been executed, further supporting the attacker’s efforts to map\r\nout the network.\r\nExecution Time File Location\r\n23/09/2023 4:04:46 C:\\Users\\[Redacted]\\AppData\\Local\\Temp\\2\\netscanold.exe\r\n23/09/2023 4:11:47 C:\\Users\\[Redacted]\\Music\\netscanold.exe\r\nLateral Movement\r\nT1021.001 Remote Services: Remote Desktop Protocol\r\nGroup-IB’s DFIR analysts determined that the attacker used Remote Desktop Protocol (RDP) to\r\nmove laterally within the network. After gaining initial access through the public-facing web\r\napplication server, the attacker used RDP to access internal servers and continued moving across\r\nthe network.\r\nHere’s a detailed list of the unique malicious activities observed during the RDP sessions:\r\nMultiple RDP Connections – Used for lateral movement within the network.\r\nMimikatz Execution – Used to dump credentials from LSASS memory.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 21 of 40\n\nCommand and Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nAnalysis of the Cobalt Strike beacons revealed the command-and-control (C2) address\r\n185[.]73[.]125[.]8 utilizing the HTTP protocol. An additional C2 address associated with SystemBC\r\nmalware was identified as 94[.]232[.]46[.]202. Firewall logs indicated connections to these C2\r\naddresses.\r\nImpact\r\nT1486 Data Encrypted for Impact\r\nRansomware was deployed across the network, with the malicious executable responsible for the\r\nencryption identified as “df.exe”.\r\nFigure 25: Screenshot of the ransom note.\r\nADFind Execution – Used for Active Directory enumeration.\r\nSystemBC, CobaltStrike, and Network Scanner Execution – Used to establish persistence,\r\ncommand-and-control communication, and perform network reconnaissance.\r\nDisabling Antivirus – Antivirus features were disabled, exceptions added, and antivirus\r\nuninstalled to avoid detection.\r\nRansomware Execution – Deployed ransomware to encrypt files across multiple systems.\r\nClearing Event Logs – Event logs were cleared after ransomware execution to cover tracks.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 22 of 40\n\nMalware Analysis\r\nSystemBC\r\nFile path MD5 Hash\r\nC:\\Users\\username\\AppData\\Local\\Temp\\2\\ socks\r\naug\\socks.exe\r\n97B70E89B5313612A9E7A339EE82AB67\r\nThe file socks.exe with corresponding MD5-hash checksum\r\n97B70E89B5313612A9E7A339EE82AB67 is a backdoor which allows a remote attacker to upload\r\nadditional executable files and execute them on a controlled host, which is related to a malware\r\nfamily “SystemBC”.\r\nThe file socks.exe is configured to connect to a C2 server with the IP-address 94[.]232.46.202 every\r\n180 seconds. Upon the attacker’s command, the sample can download the file, save it in a specified\r\ndirectory on the infected host and execute it.\r\nThe file socks.exe can also achieve persistence by creating a value with a name “socks5” within the\r\nregistry key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, which is responsible for\r\nautomatic execution upon user logon or system boot. When the user logs on or initiates a system\r\nboot, the created value will contain the command ‘powershell.exe -windowstyle hidden -Command\r\n\u0026 ‘path_to_executable_file’, which will be executed, where ‘path_to_executable_file’ is a file path\r\nwhere a SystemBC sample is located in a filesystem.\r\nCobalt Strike Beacon\r\nFile path MD5 Hash\r\nC:\\Users\\username\\AppData\\Local\\Temp\\ 2\\a65.exe A50637F5F7A3E462135C0AE7C7AF0D91\r\nThe file a65.exe with corresponding MD5-hash checksum\r\nA50637F5F7A3E462135C0AE7C7AF0D91 is a payload of the post-exploitation framework Cobalt\r\nStrike which allows remote attacker to perform various actions on an infected system, including but\r\nnot limited to, uploading/downloading files, executing files and commands in command interpreter,\r\ngather credentials of users, move laterally across network. The file is configured to connect to a URL\r\nhttp[:]//185[.]73.125.8/ broadcast and receive commands from this URL.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 23 of 40\n\nSoftPerfect Network Scanner\r\nFile path MD5 Hash\r\nC:\\Users\\username\\AppData\\Local\\Temp\\2\\netscanold.exe BB7C575E798FF5243B5014777253635\r\nThe file netscanold.exe with corresponding MD5-hash checksum\r\nBB7C575E798FF5243B5014777253635D is a network scanning tool known as SoftPerfect Network\r\nScanner. It is a system administration tool which allows its user to get the list of reachable hosts and\r\nnetwork shares, as well as perform connection to discovered hosts via RDP, WMI, SMB.\r\nRansomware Payload\r\nFile pathMD5 Hash\r\ndf.exe (dropped in multiple paths) C111476F7B394776B515249ECB6B20E6\r\nThe file df.exe with corresponding MD5-hash checksum C111476F7B394776B515249ECB6B20E6 is\r\na malicious file which is intended to encrypt contents of files within the filesystem. It utilizes a\r\ncombination of RSA-1024 and Salsa20 encryption algorithms, so it is impossible to decrypt files\r\nwithout the knowledge of a private key. After the encryption of files is completed, df.exe clears the\r\nWindows event logs.\r\nIn the next section, we turn our attention to the different versions of the DragonForce ransomware.\r\nTechnical information about ransomware\r\nbuilds\r\nDragonForce offers two different builds. Based on the information they provided, one is a variant of\r\nLockBit 3.0, while the other was claimed by DragonForce to be their own original Dragonforce\r\nransomware variant. However, after analysis of the latter, we found that it is actually a variant of\r\nContiV3, enhanced with new features such as the “Bring Your Own Vulnerable Driver” (BYOVD).\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 24 of 40\n\nThis is unsurprising as modern ransomware operators are increasingly reusing and modifying\r\nbuilders from well known ransomware families that were leaked, to tailor to their needs. Conti,\r\nBabuk, LockBit are among the common families that have been modified.\r\nContiV3 fork\r\nA sample of this has been seen in the wild since July 2024. It creates a mutex\r\n“dragonforce_encrypted_system” and usually renames files with a “.dragonforce_encrypted”\r\nextension, which can be changed by its affiliates. As ContiV3 codes have been leaked and\r\nanalyzed, we will mainly focus on features that have been added by DragonForce.\r\nNew features! Buy me instead! (Differences from Conti)\r\nObfuscation / Anti-analysis\r\nIts anti-analysis techniques are inherited from Conti.\r\nSELECT * FROM Win32_ShadowCopy\r\ncmd.exe /c C:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where \"ID='%s'\" delete\r\nEmbedded Configuration\r\nBring Your Own Vulnerable Driver (BYOVD) for process termination\r\nEncrypt filenames\r\nPersistence via Scheduled tasks\r\nVerbose logging\r\nDragonForce wallpaper and icon\r\nString obfuscation using ADVobfuscator\r\nResolving APIs by Hash – Names are hashed with `MurmurHash2A` algorithm with the seed\r\nvalue of `0xB801FCDA`\r\nAnti-hooking – compares the currently loaded functions with the original files. If the bytes have\r\nbeen modified, it replaces them with the original bytes\r\nDeleting Shadow Copy with COM Objects – enumerates shadow copies and deletes them.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 25 of 40\n\nCommand-line Arguments\r\nThese are mostly inherited from Conti as well.\r\nArguments Description\r\n-p EncryptMode – path\r\n-m EncryptMode – all, local, net\r\n-log Specify log file\r\n-size Specify file encryption percentage\r\n-nomutex Do not create mutex\r\nConfiguration\r\nIn contrast to Conti, DragonForce embeds a configuration inside the binary so that no command\r\nline options are needed. However, when command line options are used, it will override those\r\nspecified in the configuration.\r\nFigure 26: Screenshot of a snippet of decrypted configuration.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 26 of 40\n\nThese configuration values correspond to the aforementioned guides. Here’s a concise summary, to\r\nspare one from reading the nitty-gritty byte-by-byte details:\r\nstart_marker: 0xDEAD\r\nbuild_key\r\noffset_embedded_resource\r\nencrypt_mode: 10/11/12/14 - all/local/network/path\r\ntime_sync\r\nlogging option and filepath\r\nfilesize_for_fullencrypt\r\nfilesize_for_headerencrypt\r\nheader_encrypt_size\r\nother_encrypt_chunk_percent\r\nencrypt_file_names\r\ncustom_icon option, size and filepath\r\nschedule_job details\r\nkill\r\nuse_sys: 0/1/2 - None, Truesight, RentDrv\r\ndriver offset and sizes\r\ndriver encryption key\r\ndriver encryption nonce\r\nlist of processes to kill (priority)\r\nlist of processes to kill\r\ncustom_extension\r\nwhitelisted paths\r\nwhitelisted extensions\r\nwhitelisted filenames\r\nwhitelisted shares\r\ncustom_ransomnote_name\r\ncustom_wallpaper option, size and filepath\r\nend_marker: 0xBEEF\r\nBYOVD for terminating processes\r\nConti uses Windows Restart Manager to kill processes that are currently using the resources.\r\nDragonForce has implemented additional ways to kill processes, especially for protected processes.\r\nThe “Bring Your Own Vulnerable Driver” (BYOVD) technique has become a favored technique within\r\nransomware groups to disable EDR products. This tactic involves bringing vulnerable drivers onto\r\ncompromised systems and leveraging them to execute malicious code at the kernel level. By default,\r\n64-bit versions of Windows Vista and later will load a kernel-mode driver only if the kernel can verify\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 27 of 40\n\nthe driver signature. DragonForce abuses digitally signed but vulnerable drivers by bringing them\r\nonto the systems and using it to terminate critical AV or EDR processes, enabling them to operate\r\nundetected in the compromised environment.\r\nDuring the build phase, two different vulnerable driver options are provided to the user. These\r\ndrivers expose IOCTL commands with privileged functionality, but lack adequate access controls.\r\nThe selected driver is then compressed, encrypted, and then embedded into the binary. Both drivers\r\nperform the same method of process termination by calling `ZwOpenProcess()` and\r\n`ZwTerminateProcess()`. Both drivers have been published on the Microsoft recommended driver\r\nblock rules.\r\n1. TrueSight.sys\r\nTrueSight.sys is actually a RogueKiller Antirootkit Driver v3.3 developed by Adlice Software. The\r\ncompany, Adlice, has already published a fix in v3.4. The `0x22E044` control code terminates the\r\ntarget process provided by its PID.\r\nFigure 27: Screenshot of the `0x22E044` control code in Truesight driver.\r\n2. RentDrv.sys\r\nA driver developed by Hangzhou Shunwang Technology. Not much information about the driver\r\ncan be found online. The `0x220E010` control code terminates the target process provided by its\r\nPID.\r\nFigure 28: Screenshot of the `0x220E010` control code in\r\nRentDrv driver.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 28 of 40\n\nIn user-mode, the program retrieves a device handle to the driver and communicates with the driver\r\nvia DeviceIoControl. Since the methods of loading and using these drivers are similar, codes are\r\nreused and supplement with a simple switch statement.\r\nFigure 29: Screenshot of the program communicating with the driver via DeviceIoControl.\r\nHashes of Drivers\r\nName SHA256\r\nRentDrv.sys 1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3\r\nRentDrv.sys\r\n(64-bit)\r\n9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5\r\nTruesight.sys bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c\r\nAlthough DragonForce has advertised that one can configure two kill processes lists– one for a\r\nsingle termination and the other for continuous termination–we found that it starts two threads for\r\nkilling processes. Both threads actually run in an infinite loop constantly checking for processes to\r\nbe terminated. The ‘priority’ thread sleeps for 15 ms after checking, while the ‘normal’ thread sleeps\r\nfor 250 ms per loop.\r\nPrivilege Escalation\r\nIn order to kill processes, the ransomware requires at least administrator privileges. Once it confirms\r\nthat it has elevated privileges, it attempts to execute itself as SYSTEM using Access Token\r\nManipulation.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 29 of 40\n\nIt enumerates running processes to find one running with SYSTEM-level privileges, then duplicates\r\nits access token with `DuplicateTokenEx()`, and uses it with `CreateProcessWithTokenW()` to create\r\na new process running under the security context of `NT AUTHORITY\\SYSTEM`.\r\nFigure 30: Screenshot of the program attempting to perform privilege escalation.\r\nEncryption Schema\r\nThere are no major modifications to Conti’s encryption schema, except that some values are now\r\ncustomizable during the build and filenames can be encrypted.\r\nFor those that are unfamiliar with Conti’s encryption schema, for each file, the ChaCha8 key and IV\r\nis generated by the `CryptGenRandom()` function. They are then used to initialize the ChaCha8\r\ninitial state and subsequently to encrypt the file. The key and IV are then concatenated, encrypted\r\nwith RSA and appended to the end of the file.\r\nOther than the four encryption modes (all, net, local, path) mentioned in the above operator guide,\r\nthere are three different encryption types, namely, FULL_ENCRYPT, PARTLY_ENCRYPT,\r\nHEADER_ENCRYPT and the type of encryption is chosen based on their file types and file sizes:\r\nFiles with Database extensions are fully encrypted\r\nFiles with Virtual machine extensions are 20% encrypted\r\nFor other files:\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 30 of 40\n\nThe following is a list of database file extensions:\r\n.4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask,\r\n.btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx,\r\n.dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt,\r\n.frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc,\r\n.lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib,\r\n.ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm,\r\n.pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql,\r\n.sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb,\r\n.wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb,\r\n.lut, .maw, .mdn, .mdt\r\nThe following is a list of virtual machine file extensions:\r\n.vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol, .bin, .vsv,\r\n.avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso\r\nFor Network Encryption, it enumerates network shares and encrypts shares that are not named\r\n“ADMIN$”.\r\nWhen the encrypt_filename option is checked, filenames are encoded with Base32 with the\r\nfollowing custom set of alphabet `gwfn6l3bk45o2zecvi7xtyqrpsudmahj`\r\nPersistence via Scheduled tasks\r\nThis DragonForce variant of Conti ransomware has the option to create scheduled tasks. It uses the\r\nCOM TaskScheduler class to schedule a task daily to run the current binary, specifying a time and\r\ntask name. They can also choose to move the binary to a different location and run the scheduled\r\nFile size \u003c full_encrypt_threshold: Full encryption\r\nFile size \u003c header_encrypt_threshold: Only the first [header_encrypt_size] bytes are\r\nencrypted\r\nOther: Encrypted by [other_encrypt_chunk_percent]\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 31 of 40\n\ntask from there instead. COM objects allow privileged users to schedule a task without using the\r\n`schtasks` or the `at` command.\r\nLogging\r\nDragonforce has more verbose logging, of course only if the logging option is turned on. It logs the\r\nselected configuration values and also the encryption type (i.e. if it is excluded, full, header, or\r\npercentage) used per file. Each line of log is preceded with the execution time and thread ID. Logs\r\nare encrypted with ChaCha8 and written to C:\\Users\\Public\\log.log\r\nHere are some snippets of decrypted logs:\r\nFigure 31: Screenshot of the configuration values in decrypted logs.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 32 of 40\n\nFigure 32: Screenshot of file encryption process in decrypted logs.\r\nWallpaper, Icon and Ransom note\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 33 of 40\n\nFigure 33: Screenshot of the wallpaper and icon of DragonForce after a system has been\r\nencrypted.\r\nFigure 34: Screenshot of the ransom note.\r\nLockBit 3.0 fork\r\nLockBit 3.0 is also known as LockBit Black ransomware. It gained this alias as LockBit 3.0 seems to\r\nreuse code from BlackMatter ransomware.\r\nThe sample that we have obtained does not require a custom password to execute, as most LockBit\r\n3.0 samples are observed to have been generated using the password option. There were very little\r\ndifferences observed between this and other generic LockBit 3.0 variants, hence we will not go into\r\ndetails here.\r\nComparing the customisation options currently provided in the builder and the JSON configuration\r\nused in LockBit 3.0, it was only a subset of what LockBit 3.0 offered. As LockBit 3.0 uses a separate\r\nJSON file for build configuration, it is rather easy for DragonForce to expand the configuration\r\noptions offered in their builder in the future as well.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 34 of 40\n\nThe following is a sample of the JSON configuration for Lockbit:\r\n\"config\": {\r\n \"settings\": {\r\n \"encrypt_mode\": \"auto\",\r\n \"encrypt_filename\": false,\r\n \"impersonation\": true,\r\n \"skip_hidden_folders\": false,\r\n \"language_check\": false,\r\n \"local_disks\": true,\r\n \"network_shares\": true,\r\n \"kill_processes\": true,\r\n \"kill_services\": true,\r\n \"running_one\": true,\r\n \"print_note\": true,\r\n \"set_wallpaper\": true,\r\n \"set_icons\": true,\r\n \"send_report\": false,\r\n \"self_destruct\": true,\r\n \"kill_defender\": true,\r\n \"wipe_freespace\": false,\r\n \"psexec_netspread\": false,\r\n \"gpo_netspread\": true,\r\n \"gpo_ps_update\": true,\r\n \"shutdown_system\": false,\r\n \"delete_eventlogs\": true,\r\n \"delete_gpo_delay\": 1\r\n },\r\n \"white_folders\": \"\",\r\n \"white_files\": \"\",\r\n \"white_extens\": \"\",\r\n \"white_hosts\": \"\",\r\n \"kill_processes\": \"\",\r\n \"kill_services\": \"\",\r\n \"gate_urls\": \"\",\r\n \"impers_accounts\": \"\",\r\n \"note\": \"\"\r\n}\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 35 of 40\n\nConclusion\r\nThe DragonForce ransomware group has rapidly emerged as one of the most dangerous threats in\r\nthe cybersecurity domain, largely due to their use of two distinct ransomware variants: a fork of\r\nLockBit, and a highly customized fork of Conti. The Conti variant offers significant advantages,\r\nincluding advanced encryption techniques, the ability to terminate EDR/XDR processes using the\r\n“Bring Your Own Vulnerable Driver” (BYOVD) method, and enhanced anti-analysis features. These\r\nenhancements make their attacks more sophisticated and difficult to detect and mitigate.\r\nAdditionally, the integration of SystemBC malware into their operations add another layer of\r\ncomplexity. SystemBC facilitates persistent access, enables network reconnaissance, and supports\r\nlateral movement within compromised networks, making it a critical component of their attack chain.\r\nBy targeting key industries such as manufacturing, real estate, and transportation, and employing\r\nthese advanced tools and tactics, DragonForce has proven to be a formidable adversary.\r\nOrganizations must prioritize strengthening their defenses, staying informed about the specific\r\ntactics, techniques, and procedures (TTPs) used by DragonForce, and adopting a comprehensive\r\nand adaptive security strategy to protect their critical assets and ensure resilience against the\r\nevolving threat of ransomware attacks.\r\nRecommendations\r\nHow to prevent ransomware? Although ransomware groups have gained notoriety for targeting\r\ncompanies in critical sectors, they are a threat to organizations across all industries. In addition to\r\nhaving new members in its network, ransomware affiliate programs equip members with upgraded\r\ntools and techniques. That being said, it is essential that businesses take specific steps immediately\r\nto keep their mission-critical operations and data secure. We recommend the following:\r\nAdd more layers of security: Multi-factor authentication (MFA) and credential-based access\r\nsolutions help businesses secure their critical assets and high-risk users, making it harder for\r\nattackers to be successful.\r\nStop ransomware with early detection: Leverage the behavioral detection capabilities of the\r\nEndpoint Detection and Response (EDR) solution to help identify ransomware indicators across\r\nyour managed endpoints, promptly alerting your teams to any suspicious activity for further\r\nscrutiny. This proactive approach enables agile detection, investigation and remediation of both\r\nknown and unknown threats on your endpoints.\r\nHave a backup strategy: Data backup processes should be conducted regularly as they\r\nreduce damage and help organizations avoid data loss following ransomware attacks.\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 36 of 40\n\nFinancially-motivated threat actors are driven to make you pay more. Even if one attacker returns\r\nyour data, another will find out about your willingness to pay, which will lead to an increase in the\r\nnumber of attempted attacks on your company. The best you can do is to contact incident\r\nresponse experts as quickly as possible.\r\nIOCs\r\nFile Hashes\r\nFile path MD5 Hash\r\nLeverage an advanced malware detonation solution: Organizations should leverage AI-infused, advanced analytics-based solutions to detect intrusions in real time. Learn how Group-IB’s Managed XDR coupled with Threat Intelligence helps businesses to:\r\ngain insights into the unique Tactics, Techniques, and Procedures (TTPs) used by\r\nAdvanced Persistent Threats (APTs) and other cybercriminal groups and pivot their\r\nsecurity strategies accordingly; and\r\nenable multi-layered cybersecurity (endpoint, email, web, and network) through automated\r\nthreat detection and response.\r\nPatch it up: The longer a vulnerability remains unpatched, the greater the risk that it will be\r\nexploited by cybercriminals. Security patches should therefore be prioritized, and organizations\r\nshould also set up a process to regularly review and apply patches as they become available.\r\nTrain employees: The human factor remains one of the greatest vulnerabilities in cybersecurity.\r\nEducate employees about the risks relating to the organization’s network, assets, devices, and\r\ninfrastructure. Organizations should conduct training programs and security drills to help\r\nemployees identify and report the tell-tale signs of cybercrime (e.g. phishing emails).\r\nControl vulnerabilities: Do not turn a blind eye to emerging vulnerabilities. Checking your\r\ninfrastructure annually with a technical audit or security assessment is not only a good habit, it\r\nalso adds a much-needed layer of protection. Infrastructural integrity and digital hygiene\r\nprocesses should be monitored continually.\r\nIP Addresses arrow_drop_down\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 37 of 40\n\nC:\\Users\\[Redacted]\\AppData\\Local\\Temp\\2\\\r\nsocks aug\\socks.exe\r\n97B70E89B5313612A9E7A339EE82AB67\r\nC:\\Users\\[Redacted]\\AppData\\Local\\Temp\\2\\a65.exe A50637F5F7A3E462135C0AE7C7AF0D91\r\nC:\\Users\\\r\n[Redacted]\\AppData\\Local\\Temp\\2\\netscanold.exe\r\nBB7C575E798FF5243B5014777253635D\r\ndf.exe (dropped in multiple paths) C111476F7B394776B515249ECB6B20E6\r\nMITRE ATT\u0026CK\r\nTactic Technique with ID Description\r\nInitial Access Valid Accounts (T1078)\r\nDragonForce affiliates gain access\r\nusing compromised valid domain\r\naccounts.\r\nExecution\r\nCommand and Scripting Interpreter:\r\nPowerShell (T1059.001)\r\nPowerShell is used to download and\r\nexecute malicious payloads like Cobalt\r\nStrike.\r\nPersistence\r\nValid Accounts: Domain Accounts\r\n(T1078.002)\r\nMaintaining access by using\r\ncompromised domain accounts.\r\nPersistence\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\n(T1547.001)\r\nRegistry keys are created to ensure\r\nmalware execution at startup.\r\nPersistence\r\nCreate or Modify System Process:\r\nWindows Service (T1543.003)\r\nSystemBC creates services for\r\npersistence.\r\nShare this article\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 38 of 40\n\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 39 of 40\n\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/dragonforce-ransomware/\r\nPage 40 of 40\n\n.btr, .bdf, wal, .db3, .cat, .cdb, .ckp, .dbc, .dbf, .dbs, .cma, .cpd, .dacpac, .dbt, .dbv, .dbx, .dad, .dadiagrams, .dcb, .dct, .dcx, .daschema, .ddl, .dlis, .dp1, .dqy, .db, .db-shm, .dsk, .dsn, .db\u0002 .dtsx,\n.dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt,\n.frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc,\n.lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, \n.ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm,\n.pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql,\n.sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb,\n.wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb,\n.lut, .maw, .mdn, .mdt     \nThe following is a list of virtual machine file extensions:   \n.vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol, .bin, .vsv,\n.avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso    \nFor Network Encryption, it enumerates network shares and encrypts shares that are not named\n“ADMIN$”.      \nWhen the encrypt_filename  option is checked, filenames are encoded with Base32 with the\nfollowing custom set of alphabet `gwfn6l3bk45o2zecvi7xtyqrpsudmahj`    \nPersistence via Scheduled tasks    \nThis DragonForce variant of Conti ransomware has the option to create scheduled tasks. It uses the\nCOM TaskScheduler class to schedule a task daily to run the current binary, specifying a time and\ntask name. They can also choose to move the binary to a different location and run the scheduled\n   Page 31 of 40",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/dragonforce-ransomware/"
	],
	"report_names": [
		"dragonforce-ransomware"
	],
	"threat_actors": [
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434622,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64f9829c09b2bf58ac7b7f43851ae7a2ece1bc48.pdf",
		"text": "https://archive.orkl.eu/64f9829c09b2bf58ac7b7f43851ae7a2ece1bc48.txt",
		"img": "https://archive.orkl.eu/64f9829c09b2bf58ac7b7f43851ae7a2ece1bc48.jpg"
	}
}