Threat Intel Banner
Ransomware Hits Last Week Chart


DragonForce Ransomware

Emerging in late 2023, DragonForce ransomware has quickly become a force to be reckoned with in the cybersecurity landscape. This ruthless malware employs a double extortion tactic, crippling victims by encrypting their data and threatening to leak it on the dark web if ransom demands aren't met.

The origins of DragonForce remain shrouded in some mystery. While a Malaysian hacktivist group of the same name announced plans to launch ransomware in 2022, the connection to the current DragonForce ransomware is unclear. Security researchers believe the ransomware itself is built upon the leaked codebase of LockBit Black, a notorious ransomware group. This shared lineage suggests a certain level of sophistication, as LockBit Black was known for its effectiveness.

Tactics, Techniques, and Procedures (TTPs)

DragonForce leverages a range of tactics, techniques, and procedures (TTPs) to infiltrate and compromise systems. These include:

  • Phishing Attacks: Deceptive emails designed to trick users into clicking malicious links or downloading infected attachments are a common entry point.
  • Exploiting Vulnerabilities: DragonForce actively seeks out unpatched vulnerabilities in software and operating systems to gain unauthorised access to networks.
  • Lateral Movement: Once a foothold is established, the malware can spread laterally across a network, infecting additional devices and escalating privileges.
  • Data Exfiltration: Before encryption, DragonForce exfiltrates sensitive data like financial records, personal information, and intellectual property. This stolen data serves as leverage in extortion attempts.
  • Strong Encryption: DragonForce utilises robust encryption algorithms to render files inaccessible, making decryption without the attacker's key extremely difficult, if not impossible.

Famous Fallouts:

DragonForce has targeted a diverse range of victims worldwide, demonstrating its opportunistic nature. Some notable examples include:

  • The Ohio Lottery: In a high-profile attack, DragonForce breached the Ohio Lottery's systems and claimed to have stolen over 600 GB of data, potentially compromising millions of records.
  • Yakult Australia: Dragonforce ransomware claimed to have attacked this beverage company, boasting about stealing nearly 100 GB of sensitive company data.
  • Coca-Cola Singapore: Dragonforce ransomware claimed to have attacked the Singapore branch of Coca-Cola, stealing data exceeding 400 GB.


Global Targets: Its reach extends beyond these specific cases. Reports indicate that DragonForce has targeted organisations in manufacturing, technology, healthcare, finance, and other critical sectors across various countries.

DragonForce's emergence highlights the ever-evolving threat landscape of ransomware. Its use of readily available tools like LockBit Black's codebase and its focus on double extortion tactics underscore the need for organisations to prioritise cybersecurity measures.

Leak Site: DragonForce maintains a leak site on the dark web where they threaten to publish stolen data if the ransom is not paid.

DragonForce Ransom Notes:

A screenshot of a computerDescription automatically generated

Kill Chain:

Tactic 
Technique ID 
Technique Name 
Execution
T1204.002 
User Execution
Defence Evasion
T1562.001
T1070.004
Impair Defences: Disable or Modify Tools
Indicator Removal: File Deletion
Discovery
T1083
File and Directory Discovery
Impact
T1486  
Data Encrypted for Impact 

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description
d54bae930b038950c2947f5397c13f84
Hash
DragonForce Ransomware
hxxp://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog
URLs
Leak Site


In a comprehensive analysis of ransomware victims across 22 countries, the United States emerges as the most heavily impacted nation, reporting a staggering 48% of victim updates in the past week. The following list provides a breakdown of the number and percentage of new ransomware victims per country, underscoring the persistent and concerning prevalence of ransomware attacks, with the USA particularly susceptible to these cybersecurity threats.

Name of the affected CountryNumber of Victims
Austria
             1.10%
Bangladesh
             1.10% 
Belgium
             1.10% 
Brazil
             6.59% 
Canada
             5.49% 
Chile
             1.10% 
Colombia
             2.20% 
Finland
             1.10% 
France
             2.20% 
Germany
             1.10% 
India
             2.20% 
Iran
             1.10% 
Italy
             3.30% 
Japan
             1.10% 
Mexico
             1.10% 
Nepal
             1.10% 
Netherlands
             1.10% 
Philippines
             1.10% 
Spain
             4.40% 
Sudan
             1.10% 
UK
           10.99% 
USA
           48.35% 

Worldwide Ransomware Victims Chart

Upon further investigation, it has been identified that ransomware has left its mark on 21 different industries worldwide. Notably, Manufacturing bore the brunt of the attacks in the past week, accounting for 17% of victims. There are a few key reasons why the manufacturing sector is a prime target for ransomware groups:

  • High Disruption Potential: Manufacturing relies heavily on interconnected systems and just-in-time production. A ransomware attack can grind operations to a halt, causing significant financial losses due to production delays and lost revenue. This pressure to get back online quickly can make manufacturers more willing to pay the ransom.
  • Vulnerable Legacy Systems: Many manufacturers use legacy control systems (OT) that haven't been updated for security. These older systems often lack robust security features, making them easier targets for attackers to exploit.
  • Limited Cybersecurity Investment: Traditionally, cybersecurity might not have been a top priority for some manufacturers compared to production efficiency. This lack of investment in security awareness training and robust security protocols leaves them exposed.
  • Valuable Data: Manufacturing facilities often hold valuable intellectual property (IP) and trade secrets. Ransomware groups may not only disrupt operations but also threaten to leak this sensitive data if the ransom isn't paid.
  • Success Breeds Success: The high payout potential from past attacks on manufacturers incentivises ransomware groups to continue targeting them.

The table below delineates the most recent ransomware victims, organised by industry, shedding light on the sectors grappling with the significant impact of these cyber threats.

Name of the affected Industry
Victims Count (%)
Agriculture
             1.10%
Business Services
           15.38%  
Cities, Towns & Municipalities
             1.10%
Construction
             5.49%  
Consumer Services
             3.30%  
Education
             8.79%  
Energy, Utilities & Waste
             3.30%  
Finance
             7.69%  
Government
             1.10%  
Healthcare
             5.49%  
Hospitality
             5.49%  
Insurance
             2.20%  
IT
             2.20%  
Legal Services
             5.49%  
Manufacturing
           17.58%  
Media & Internet
             1.10%  
Metals & Mining
             1.10%  
Real Estate
             1.10%  
Retail
             5.49%  
Telecom
             1.10%  
Transportation
             4.40%  

Industry Wide Ransomware Victims Chart