ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
DragonForce Ransomware Analysis Report
2025.12.23

✅ Report Title: DragonForce Ransomware Analysis Report



✅ Executive Summary:


- S2W Threat Intelligence Center (TALON) published a comprehensive analysis of the DragonForce ransomware.


- The malware sample examined in this report was confirmed to be a DragonForce ransomware variant built on the Conti codebase.


- DragonForce ransomware decrypts ChaCha8-encrypted configuration data at runtime and leverages this information throughout its execution.


- Initial access is typically achieved through exposed Remote Desktop services; therefore, limiting Remote Desktop access or enforcing VPN-only access is strongly recommended.



📌 Who Is the DragonForce Ransomware Group?


- DragonForce is a ransomware group first observed in December 2023 that develops and deploys its own ransomware derived from LockBit 3.0 (Black) and Conti.

  - The group operates a service known as “Ransombay”, which allows affiliates to customize payloads and other attack options, and openly refers to itself as a cartel.


- Evidence such as infrastructure migration and source code similarities suggests possible connections between DragonForce and other ransomware groups, including BlackLock, RansomHub, and LockBit.

  - According to VX-Underground, DragonForce, LockBit, and Qilin have attempted to form an alliance and establish shared communication channels.



📌 Key Characteristics of DragonForce Ransomware


- Embedded strings within DragonForce ransomware are obfuscated using a proprietary algorithm and decrypted dynamically during execution.


- The ransomware supports five command-line arguments, with the `-m` option determining whether encryption targets local systems or network resources.


- Files are encrypted using the ChaCha8 algorithm, after which 534 bytes of metadata are appended to each encrypted file.

  - When the `encrypt_file_name` option is enabled, the ransomware appends a new extension and encodes original file names using Base32.

  - When the `custom_icon` and `custom_wallpaper` options are enabled, the ransomware modifies encrypted file icons or changes the victim’s desktop wallpaper.



📌 Conti-Based DragonForce Ransomware


- The analyzed sample was identified as a Conti-based variant of DragonForce ransomware.


- DragonForce uses the same mutex name observed in Conti-family ransomware and supports an identical set of five command-line arguments.


- The behavior and encryption modes associated with each argument closely match those of Conti.


- While both ransomware families use the same ransom note file name, the internal structure and content of the ransom notes differ.



✅ Recommended Threat Detection and Mitigation Actions:


- As DragonForce ransomware commonly gains initial access through exposed Remote Desktop services, organizations should enforce strict access controls on Remote Desktop servers and enable two-factor authentication (2FA) for all associated accounts.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb in December W2
2025.12.17
Previous
News Highlights
Weekly Darkweb in December W3
2025.12.24
Next
List