Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
DragonForce is a fast-moving ransomware-as-a-service operation that practices dual extortion by encrypting systems while stealing sensitive data. It markets a flexible affiliate platform supporting Windows, Linux, ESXi, BSD, and NAS targets, and has recently pivoted to a “cartel” approach that lets partners operate under their own branding. Reported victimology spans manufacturing, construction, and technology across multiple countries, with add-on services like “data audits” designed to increase negotiation pressure.
Investigation
Cybereason analysts reviewed the ransomware sample, noted a Conti-linked mutex, and observed SMB scanning, shadow-copy removal using wmic.exe, and tailored options for ESXi encryption. The supporting infrastructure included multiple IP addresses and a now-defunct onion leak site used to publish stolen data. The reporting also highlights relationships and cooperation signals involving LockBit, Qilin, and other ransomware actors.
Mitigation
Enable layered endpoint protection including anti-malware, anti-ransomware controls, shadow-copy safeguards, and application control. Keep systems patched, require multi-factor authentication, and maintain regular offline backups with tested restores. Monitor for SMB scanning, wmic.exe-driven shadow-copy deletion, and the referenced mutex as early warning telemetry.
Response
If ransomware activity is detected, isolate impacted hosts, capture volatile evidence, and activate incident response playbooks. Restore from verified clean backups, involve law enforcement as appropriate, and hunt for affiliate footholds across the environment. Block known infrastructure IPs/domains and scope for data theft to inform containment, notifications, and recovery actions.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Create or Delete Shadow Copy via Powershell, CMD or WMI (via cmdline)
View
IOCs (SourceIP) to detect: The Godfather of Ransomware? Inside DragonForce’s Cartel Ambitions
View
IOCs (HashSha256) to detect: The Godfather of Ransomware? Inside DragonForce’s Cartel Ambitions
View
IOCs (DestinationIP) to detect: The Godfather of Ransomware? Inside DragonForce’s Cartel Ambitions
View
DragonForce Ransomware File Encryption and Log File Location Redefinition [Windows Sysmon]
View
DragonForce Ransomware Shadow Copy Deletion and Mutex Usage [Windows Process Creation]
View
Detect DragonForce Ransomware File Renaming Activity [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The attacker first creates a test document (secret.txt) containing dummy data. Using PowerShell’s .NET cryptography classes, the file is encrypted with AES‑256, which causes a write operation that the system logs as Event 4663 with anAccessMaskof 0x2 (read‑metadata) and a subsequent delete of the original plaintext – both actions produce the same event ID.
To conceal the activity, the attacker redefines the Windows Security log file location to a non‑standard path (C:TempSecLog.evtx) usingwevtutil, which generates another 4663 event for the registry key change. These steps emulate DragonForce’s reported behavior of encrypting files while relocating its own logs to monitor progress. -
Regression Test Script:
# ------------------------------------------------- # DragonForce Ransomware Simulation – PowerShell # ------------------------------------------------- # 1. Prepare test artifact $plainPath = "$env:TEMPsecret.txt" "Sensitive data that must be encrypted" | Set-Content -Path $plainPath -Encoding UTF8 # 2. Encrypt the file (AES‑256, CBC) $key = (1..32 | ForEach-Object { Get-Random -Maximum 256 }) $iv = (1..16 | ForEach-Object { Get-Random -Maximum 256 }) $aes = [System.Security.Cryptography.Aes]::Create() $aes.Key = $key $aes.IV = $iv $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC $encryptedPath = "$env:TEMPsecret.txt.enc" $fsIn = [System.IO.File]::OpenRead($plainPath) $fsOut = [System.IO.File]::Create($encryptedPath) $crypto = $aes.CreateEncryptor() $cs = New-Object System.Security.Cryptography.CryptoStream($fsOut, $crypto, [System.Security.Cryptography.CryptoStreamMode]::Write) $buffer = New-Object byte[] 1048576 # 1 MiB buffer while (($read = $fsIn.Read($buffer,0,$buffer.Length)) -gt 0) { $cs.Write($buffer,0,$read) } $cs.FlushFinalBlock() $cs.Dispose() $fsIn.Dispose() $fsOut.Dispose() # 3. Remove original plaintext (trigger delete event) Remove-Item -Path $plainPath -Force # 4. Redefine Security Event Log location (log‑file redefinition) $newLog = "C:TempSecLog.evtx" wevtutil sl Security /lfn:$newLog Write-Host "Simulation complete – encrypted file created at $encryptedPath and log path changed to $newLog" -
Cleanup Commands:
# ------------------------------------------------- # Cleanup – restore original state # ------------------------------------------------- # Restore original Security log location (default) wevtutil sl Security /lfn:"%SystemRoot%System32winevtLogsSecurity.evtx" # Delete encrypted artifact $encPath = "$env:TEMPsecret.txt.enc" if (Test-Path $encPath) { Remove-Item $encPath -Force } # Remove temporary log file if it exists $tempLog = "C:TempSecLog.evtx" if (Test-Path $tempLog) { Remove-Item $tempLog -Force } Write-Host "Cleanup completed."