{ "id": "24e06704-3da4-4753-b7fc-d82bf65e6efe", "created_at": "2026-04-06T00:11:19.749373Z", "updated_at": "2026-04-10T03:26:36.650749Z", "deleted_at": null, "sha1_hash": "e827bc10b2f874326b6262202cb248a3a2ee58ed", "title": "DragonForce Ransomware: Unveiling Its Tactics and Impact | Idan Malihi", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50757, "plain_text": "DragonForce Ransomware: Unveiling Its Tactics and Impact | Idan\r\nMalihi\r\nArchived: 2026-04-05 14:14:01 UTC\r\nEvolution of Cyber Threat Groups\r\nIntroduction – DragonForce\r\nDragonForce’s Cyber Activities Against Israel\r\nThe group’s attacks are primarily politically motivated; however, some of its activities extend across various\r\nindustries and regions. It has claimed responsibility for a wide range of attacks, including DDoS attacks and data\r\nbreaches.\r\nDragonForce’s Leak Site and Propaganda Strategy\r\nA notable example from this research highlighted a negotiation attempt between a victim company and\r\nDragonForce. The company sought to reduce the ransom amount, but the group refused to make any concessions.\r\nThey emphasized the urgency of the countdown timer and warned that failure to pay would lead to the full\r\ndisclosure of the stolen data. By making these negotiations public, DragonForce sends a clear message to future\r\nvictims: negotiations are futile, and the only way to prevent exposure is to pay the ransom in full.\r\nOnce the countdown expires, the stolen files become publicly accessible directly from the site. The files are neatly\r\ncategorized, allowing anyone to browse through the leaked documents without needing to download them. The\r\nexposed data often includes financial records, employee and customer information, internal communications,\r\ncontracts, and other highly sensitive documents. This structured data exposure model adds pressure, reinforcing\r\nDragonForce’s ultimatum: comply or face full-scale data disclosure.\r\nDissecting the Threat: DragonForce Ransomware\r\nThe ransomware’s entropy analysis suggests that only the overlay is packed. This indicates that the file itself is not\r\nactually packed; instead, it conceals some data within the binary inside the overlay. Essentially, this means that the\r\ncompressed data is hidden at the end of the file (EOF).\r\nI utilized Binwalk to analyze the binary ransomware and identify the various types of data concealed within it,\r\nthereby gaining insight into what files the attacker was attempting to hide from researchers and analysts. It\r\nhttps://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/\r\nPage 1 of 4\n\ncontains an XML document that serves as the manifest file. Finally, there are two compressed files that the\r\nransomware will utilize during its runtime.\r\nTo extract both compressed files, I executed a Python script that reads and extracts the data located at the 0x66400\r\nand 0x66D24 offsets.\r\nThe compressed files are graphic files used in the ransomware’s operations when it drops files related to the\r\nransomware during runtime.\r\nfirstFile.ico: a0bbc666c39f80d6ac18ae1b253c3462\r\nsecondFile.png: 07fb997df804901c7f09bcce85ec2c05\r\nIn addition, the ransomware encrypts the victim’s files using the symmetric ChaCha20 encryption method with a\r\nkey of 256 bytes.\r\nThe strings below indicate that ransomware utilizes the ChaCha20 encryption method. These strings relate to the\r\nkey expansion process in the ChaCha20 stream cipher, which is typically used for fast and secure encryption.\r\nThe following strings indicate that the ransomware uses logs printed during runtime to determine the status of its\r\noperations, including file name changes, run path, privilege escalation, desktop wallpaper changes, and more.\r\nThe string SELECT * FROM Win32_ShadowCopy shows that the ransomware is using WMI to query Volume\r\nShadow Copies, which disables the victim’s ability to restore backups.\r\nThe following strings relate to the extensions that the threat actor configures for the ransomware, specifying which\r\nextensions to encrypt on the victim’s system.\r\nThe ransomware appears to be conducting reconnaissance on network shares and facilitating lateral movement to\r\nlocate and encrypt files stored on shared network drives.\r\nThe ransomware generates a log file named log.log located in the C:\\Users\\Public directory to track its\r\noperations.\r\nThe ransomware configures which file extensions it will not encrypt, such as .exe, .dll, .lnk, etc.\r\nThe 421570 subroutine is responsible for the encryption process configuration. It seems that the ransomware\r\nconfigures dynamic configurations for efficient encryption, process termination, and system disruption. The\r\npresence of keys such as encrypt_mode, full_encrypt_threshold, and encrypt_file_names suggests that the\r\nransomware employs selective encryption techniques to optimize the speed of the encryption process.\r\nAdditionally, strings like custom_wallpaper and custom_extension indicate that the malware modifies the\r\ndesktop wallpaper and changes the files’ extension. Furthermore, the ransomware targets several system and\r\ndatabase processes to terminate them and encrypt them, such as:\r\nAt the end of the configurations, it writes to the log.log file.\r\nIn the following flow, the ransomware retrieves the current process ID using the GetCurrentProcessId function,\r\nwhich is then used in the 42A7A0 subroutine.\r\nhttps://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/\r\nPage 2 of 4\n\nIn the subroutine, the ransomware uses the OpenProcess function with the 0x400 parameter, which is related to\r\nthe PROCESS_QUERY_INFORMATION access rights. This suggests an attempt to query the process’s security context.\r\nIf the function’s execution is successful, it jumps to the 42A9E5 memory location, where it calls\r\nOpenProcessToken and GetTokenInformation to extract the security details about the running process.\r\nAdditionally, it calls LookupAccountSidW to resolve the account name associated with the SID (security\r\nidentifier). The ransomware might determine whether it is executing under a privileged user. Then, it writes in the\r\nlogs the privileges execution as a “Running under: %s” string.\r\nThe configuration of DragonForce Ransomware shows similarities to the LockBit builder that was leaked in 2022.\r\nKey settings observed include encrypt_mode, local_disks, network_shares, kill_processes,\r\nkill_services, set_wallpaper, and set_icons, all of which match the structure of LockBit’s leaked\r\nconfig.json. This suggests that DragonForce may be a modified version of the original LockBit builder.\r\nAdditionally, DragonForce incorporates several defense evasion techniques, including anti-forensics parameters\r\nlike kill_defender, delete_eventlogs, and self_destruct. These features indicate that the ransomware aims\r\nto disable security defenses and eliminate forensic evidence. Furthermore, its functionality to alter desktop\r\nwallpaper and icons through set_wallpaper and set_icons is similar to the behavior of LockBit ransomware.\r\nThe malware checks and verifies whether the process has been executed with administrative privileges, which is\r\ncrucial for the ransomware’s subsequent operations. The ransomware is attempting to retrieve the security token to\r\ndetermine whether it has administrator or SYSTEM-level privileges. The sequence begins with a call to\r\nGetCurrentProcess, followed by OpenProcessToken, which allows access to the token of the current process.\r\nAfter obtaining the token, it is called GetTokenInformation, which is used to extract information about privilege\r\nlevels, user group details, or integrity levels. The ransomware then evaluates the retrieved token information. If\r\nthe token handle is valid, the execution continues; if not, the ransomware process terminates. Analysis of the\r\nransomware’s runtime value indicates it was executed with high privileges, as shown by the “Process is\r\nelevated: %d” value being 1.\r\nThe ransomware scans the victim’s system for logical drives using GetLogicalDriveStringsW. This operation is\r\ncrucial for the ransomware to identify which drives exist in the victim’s system and to infect them during\r\nexecution.\r\nAfter the ransomware configures the kill processes list, it looks for processes that are running on the victim’s\r\nsystem and compares them to the list. It uses OpenProcess to access the notepad.exe process and then\r\nterminates it using TerminateProcess.\r\nThe ransomware employs the NetShareEnum function to facilitate lateral movement, expanding its encryption\r\ncapabilities to network shares and NetBIOS. It configures the servername parameter to three types of subnets:\r\n172.X.X.X, 192.168.0.X, and 169.X.X.X, which are commonly used subnets in organizations worldwide. The\r\nlevel parameter is set to 1, which, according to Microsoft’s documentation, indicates that it will return details\r\nabout shared resources, including the resource name and type.\r\nThe ransomware then decompresses two files from its overlay and drops them into the C:\\Users\\Public folder:\r\nicon.ico and wallpaper_white.png.\r\nhttps://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/\r\nPage 3 of 4\n\nIt then begins the process of encrypting the victim’s files. For each file, the ransomware encrypts its contents,\r\nchanges the file’s name, and modifies the extension using MoveFileW.\r\nIt then creates readme.txt files using the CreateFileW function in every directory whose content has been\r\nencrypted.\r\nThe DragonForce Ransomware ransom note utilizes psychological pressure and clear communication to coerce\r\nvictims into paying the ransom. It outlines the impact of the attack, the communication process, payment\r\ninstructions, and the consequences of non-compliance. The note is signed as: 01000100 01110010 01100001\r\n01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101 This is the binary\r\nrepresentation of “DragonForce,” which confirms the ransomware strain responsible for the attack.\r\nMITRE ATT\u0026CK\r\nYara Rule\r\nYara Detection\r\nSource: https://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/\r\nhttps://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/" ], "report_names": [ "dragonforce-ransomware-unveiling-its-tactics-and-impact" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434279, "ts_updated_at": 1775791596, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e827bc10b2f874326b6262202cb248a3a2ee58ed.pdf", "text": "https://archive.orkl.eu/e827bc10b2f874326b6262202cb248a3a2ee58ed.txt", "img": "https://archive.orkl.eu/e827bc10b2f874326b6262202cb248a3a2ee58ed.jpg" } }