Operator dossier

DRAGON FORCE (also tracked as dragonforce) is a ransomware operator currently active on public leak sites. Research on the operators of the DragonForce ransomware was conducted, and it was identified that the group emerged around mid-November 2023. They employ the same method as many other ransomware groups, using double extortion in their attacks, i.e., data encryption and extortion for the publication of the attacks. Initially, according to research, it was identified that another hacktivist group, also named DragonForce and based in Malaysia, conducted several campaigns in 2021 and 2022 against various government organizations and agencies across the Middle East and Asia. Additionally, the hacktivist group announced in 2022 its intention to initiate ransomware attacks. However, due to the limitation and difficulty in obtaining substantial information, no direct link could be established. The activities of the DragonForce ransomware group were identified in November 2023 through a clandestine forum, where they announced their victims via data leaks. Some samples related to the DragonForce ransomware group were obtained, and it was concluded that the group uses a binary (ransomware) based on LockBit Black. In other words, this threat group took advantage of the previously leaked builder from another ransomware group, LockBit, and incorporated these samples into their attacks to encrypt data. The company Cyble published an analysis indicating that the ransomware used by DragonForce has a 99% similarity to the LockBit Black ransomware, suggesting the use of the leaked builder. It is worth noting that the ransomware performs the entire operational routine, terminating processes, encrypting specific files, and subsequently creating a ransom note for the victim.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

DRAGON FORCE

aka dragonforce · 0 victims indexed

Victims indexed

—

Active period

—

Countries hit

At a glance

Status: active
Aliases: dragonforce
First seen: —
Last activity: —
Onion sites: 1 known endpoint

About

Research on the operators of the DragonForce ransomware was conducted, and it was identified that the group emerged around mid-November 2023. They employ the same method as many other ransomware groups, using double extortion in their attacks, i.e., data encryption and extortion for the publication of the attacks. Initially, according to research, it was identified that another hacktivist group, also named DragonForce and based in Malaysia, conducted several campaigns in 2021 and 2022 against various government organizations and agencies across the Middle East and Asia. Additionally, the hacktivist group announced in 2022 its intention to initiate ransomware attacks. However, due to the limitation and difficulty in obtaining substantial information, no direct link could be established. The activities of the DragonForce ransomware group were identified in November 2023 through a clandestine forum, where they announced their victims via data leaks. Some samples related to the DragonForce ransomware group were obtained, and it was concluded that the group uses a binary (ransomware) based on LockBit Black. In other words, this threat group took advantage of the previously leaked builder from another ransomware group, LockBit, and incorporated these samples into their attacks to encrypt data. The company Cyble published an analysis indicating that the ransomware used by DragonForce has a 99% similarity to the LockBit Black ransomware, suggesting the use of the leaked builder. It is worth noting that the ransomware performs the entire operational routine, terminating processes, encrypting specific files, and subsequently creating a ransom note for the victim.

References

8 links

External sources curated by the MISP threat-intel community.

Recent victims

Loading…

Onion infrastructure

1 known

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Source

Updated recently

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.