Dragonforce Ransomware Cartel: Hybrid Hacktivism Meets Raas Industrialization

DragonForce is a sophisticated Ransomware-as-a-Service (RaaS) operation that emerged from a former Malaysian hacktivist group. Since 2023, it has evolved into a major cybercrime cartel with a global affiliate network. Combining ideological roots with profit-driven ransomware attacks, it now supports hybrid operations across sectors and geographies. Its flexible infrastructure, white-label ransomware builder, and aggressive affiliate recruitment have made it a significant threat globally.

Severity Level: High

THREAT OVERVIEW:

• DragonForce leverages a dual-strain ransomware model—initially derived from LockBit 3.0 and later enhanced with code from Conti v3. These strains support strong encryption protocols (AES, ChaCha, RSA) and are delivered via a custom-built affiliate platform.
• The ransomware is frequently paired with credential dumpers (Mimikatz, LaZagne), persistence tools (Cobalt Strike), and network mapping utilities.

Attack Flow

1. Initial Reconnaissance: DragonForce-affiliated operators begin by scanning for vulnerable targets—either opportunistically through internet-wide scans or selectively based on ideological motives. They assess open ports, exposed credentials, and unpatched systems to prioritize targets.
2. Initial Access: Entry is typically achieved through spear-phishing emails that deliver malware loaders or by exploiting unpatched vulnerabilities in internet-facing services such as VPNs and web applications. Credentials may also be obtained from previous breaches or dark web marketplaces.
3. Establishing Persistence: Upon access, attackers deploy tools like SystemBC and Cobalt Strike to establish command-and-control channels. They often create local admin accounts or schedule malicious tasks that grant persistent access even after reboots.
4. Privilege Escalation: The attackers escalate privileges through credential dumping using Mimikatz or LaZagne. In some cases, Bring Your Own Vulnerable Driver (BYOVD) techniques are used to disable endpoint security and elevate access.
5. Lateral Movement: With admin-level access, attackers use PsExec, WMI, and RDP to pivot through the network. They identify high-value systems such as file servers, domain controllers, and backup repositories. These are earmarked for data theft or destruction.
6. Data Collection and Exfiltration: Before deploying the ransomware, DragonForce actors prioritize exfiltrating sensitive data. This includes business documents, financial records, and email archives, which are then uploaded to attacker-controlled cloud services or hidden servers.
7. Pre-Encryption Preparation: Security defenses such as EDR agents, antivirus software, and logging services are disabled or bypassed. Backups are located and either deleted or encrypted to prevent recovery.
8. Ransomware Deployment: The ransomware is executed simultaneously across multiple endpoints using administrative tools or GPO scripts. Victims immediately lose access to files, which are encrypted and renamed with a “.df” extension.
9. Victim Notification and Negotiation: Victims receive ransom notes named README.txt or [random].README.txt, directing them to a Tor-based negotiation site.
10. Extortion Outcome: If the victim pays, they may receive a decryptor. If not, their exfiltrated data is leaked via the group’s dark web leak portals. In some cases, the data is promoted on social media platforms to amplify reputational damage.

Campaign Scale and Geography

• DragonForce campaigns span multiple continents, with a concentration of attacks in the United States (52%), the United Kingdom (12%), Australia (6%), and various nations across Asia and the Middle East. The group has claimed over 80 victims in 12 months, demonstrating consistent monthly attack cadence and escalating geographical reach.
• DragonForce affiliates conduct highly disruptive ransomware operations across key sectors, including manufacturing, retail, healthcare, government, and transportation. In notable incidents, they have paralyzed large-scale operations, such as Marks & Spencer (retail disruption), Oahu Transit Services (public transportation), and the Government of Palau (governmental outages).

HOW THE BREACH HAPPENED:

1. Initial Access (February 2025): The breach began in early February 2025 when a nation-state threat actor gained initial access to Commvault’s Microsoft Azure environment. Microsoft notified Commvault of suspicious activity on February 20. The attackers exploited misconfigured cloud applications and obtained access to application credentials (client secrets) stored by Commvault for M365 integration, allowing them to impersonate legitimate service principals.
2. Exploitation of Vulnerability (CVE-2025-3928): The attackers used valid credentials to exploit CVE-2025-3928, a zero-day vulnerability in the Commvault Web Server. This flaw allowed a remote authenticated attacker to upload and execute webshells, gaining persistence and expanding their access within Commvault’s infrastructure. The vulnerability existed in multiple versions of Commvault’s software and was not known publicly at the time of the breach.
3. Lateral Movement into Customer M365 Environments: Using compromised app secrets and M365 OAuth tokens, the threat actor accessed customers’ M365 tenants via Commvault-managed service principals. They potentially escalated access using default permissions, overly privileged service principals, or misconfigured application scopes. This lateral movement allowed visibility and control over downstream customer environments.
4. Cloud Misconfigurations & Identity Exploitation: The attack campaign also took advantage of cloud identity misconfigurations, such as excessive privileges granted to service principals and absence of Conditional Access policies. Commvault-managed M365 applications with unrotated secrets and insufficient IP filtering gave the attackers a stealthy path to move laterally without triggering immediate alerts.
5. Persistence & Monitoring Evasion: The attackers were able to remain undetected for a period by operating through legitimate service credentials and staying within trusted IP ranges. No ransomware or destructive actions were deployed. However, they maintained a low-profile presence, focusing on stealthy access and exfiltration of identity data and secrets from impacted SaaS-linked resources.

MITRE ATT&CK

Recommendations:

1. Segment networks to restrict lateral movement.
2. Disable remote services like RDP unless necessary.
3. Prioritize CVEs with public exploits.
4. Patch VPNs, web apps, and remote services.
5. Enforce phishing-resistant MFA (FIDO2/U2F).
6. Conduct regular phishing simulations and user training.
7. Monitor dark web for leaked credentials.
8. Use password managers to enforce complex passwords.
9. Keep encrypted offline backups tested for restoration.
10. Simulate ransomware tabletop exercises for exec teams.
11. Block the IOCs at their respective controls.
12. https://www.virustotal.com/gui/collection/3d8427e3686060df39bb85bbdc200eb6a8116be1c52e7c514b2f74740c96aba5

Source:

• https://news.sophos.com/en-us/2025/05/21/dragonforce-targets-rivals-in-a-play-for-dominance/
• https://www.quorumcyber.com/insights/understanding-the-dragonforce-cartel-the-cybercriminals-targeting-retailers-with-ransomware/
• https://www.quorumcyber.com/wp-content/uploads/2025/05/QC-DragonForce-Ransomware-Report.pdf

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.