Executive summary

DragonForce is a fast-rising RaaS/cartel that blends profit-driven ransomware with hacktivist-style optics. In Mar–Apr 2025 it rebranded as a “cartel,” rolled out white-label branding and RansomBay leak portals (affiliates can hide the DragonForce name), and moved to absorb orphaned affiliates—including a public takeover of RansomHub’s infrastructure—fueling a wave of high-impact attacks (notably against UK retail). Sophos NewsCheck Point BlogTrend Micro

Who/what is DragonForce (model, scale, positioning)

• RaaS → “Cartel” shift (Mar 19, 2025): affiliates can run their own brands on DragonForce infra; DF takes ~20% cut. Sophos NewsCheck Point Blog

• RansomHub saga (Mar–Apr 2025): RansomHub’s site went dark Mar 31; DF commandeered infra and announced RH had “joined the cartel” on Apr 8 (RH now considered inactive). Trend Micro

• Turf war + retail focus: 2025 campaigns hit UK retailers (e.g., M&S, Co-op, Harrods) and DF publicly sparred with rival crews—defacing leak sites and courting affiliates. Sophos NewsBarrcuda Blog

Tooling & payloads (what runs on your endpoints)

• Code pedigree: early lockers built from LockBit 3.0 builder; newer line borrows from Conti v3 with upgrades (e.g., BYOVD defenses-kill). Group-IB

• Crypto: variants observed using AES+RSA or ChaCha/Salsa family for speed; Windows, Linux, ESXi & NAS builds available to affiliates with rich CLI switches (delay, threads, ESXi VM handling, allow/deny lists). SentinelOne

• Branding/portals: optional white-label skins; RansomBay leak portals host affiliate data; DF advertises 80/20 affiliate split. SentinelOneCheck Point Blog

• File markers: extensions are custom per campaign; seen in the wild include “.dragonforce_encrypted” and the “.DEVMAN” variant line. Don’t key on one string. MicrosoftBroadcom

Tactics, techniques & procedures (MITRE ATT&CK)

Initial access — TA0001

• Social engineering / help-desk phishing and use of stolen creds; heavy RDP focus. Sophos News

• Opportunistic edge exploitation: Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887/21893), Log4Shell, and Windows SmartScreen bypass (CVE-2024-21412). SentinelOne

Execution / Persistence / Priv-Esc — TA0002/TA0003/TA0004

• Cobalt Strike, SystemBC backdoor, credential dumping, and BYOVD to kill EDR. Group-IB

Discovery & Lateral movement — TA0007/TA0008

• SoftPerfect/Advanced IP Scanner, PingCastle; PsExec/SSH to push lockers across Windows/ESXi. Group-IB

Exfiltration & Command and control — TA0010/TA0011

• MEGA, SFTP/WebDAV; DF runs Tor-based victim portals (RansomBay et al.). SentinelOne

Impact — TA0040

• Multi-extortion: data theft + encryption; affiliate-tuned service kills, VSS deletion, event-log clearing. Group-IB

What changed in 2025 (why defenders should care)

• Cartelization & white-label: lowers barriers for affiliates and hides attribution, increasing attack noise. SentinelOneCheck Point Blog

• RansomHub takeover & turf wars: ecosystem instability → overlapping/extortion-on-extortion risks for victims. Trend MicroSophos News

• Retail + industrial interest: DF campaigns impacted UK retail; multiple sources track industrial victims too. Sophos NewsBarrcuda Blog

Hunt & detect — quick wins you can deploy today

Identity/edge

• Alert on new VPN logins from unusual geos; watch for Ivanti ICS exploit chains (46805/21887/21893) and SmartScreen 21412 artifacts. Enforce FIDO2/WebAuthn MFA for VPN/RDP/help-desk. SentinelOne

Endpoint/EDR

• Sequence analytics: VSS deletions → service/process kills → event-log clears → high-volume writes within minutes.

• Flag SystemBC beacons, Cobalt Strike; block unapproved RMM installs. Group-IB

Network

• New SFTP/MEGA/WebDAV egress from servers; sudden SMB/PsExec bursts; Tor bootstrap from non-admin subnets. SentinelOne

ESXi

• Monitor for vim-cmd enumeration, mass VM stop, and SSH enablement from vCenter scripts. SentinelOne

Mitigation priorities (that actually cut risk)

1. Patch/harden the edge first: Ivanti Connect Secure, internet-exposed RDP/Citrix; shrink attack surface with geo/IP allowlists. SentinelOne

2. Phishing-resistant MFA everywhere plus strict help-desk verification (voice-phish is common in these crews). Sophos News

3. Control RMM/tunnels: inventory & default-deny AnyDesk, ScreenConnect, etc.; alert on installs/first use. Sophos News

4. Backups & recovery: offline/immutable, tested restores; stage restore networks; practice double-extortion comms. Check Point Blog

5. EDR hardening: block BYOVD loaders; enforce kernel-mode driver allowlisting; monitor for SystemBC persistence keys. Group-IB

Rapid response playbook (print-friendly)

1. Contain: isolate compromised users/hosts; disable suspicious VPN sessions; block Tor and MEGA at egress.

2. Preserve: pull Ivanti/RDP/VPN logs, AD, EDR, hypervisor telemetry; snapshot affected VMs.

3. Hunt: look for DF behaviors above; search for RansomBay case IDs and DF Tox IDs in notes/portals. SentinelOne

4. Eradicate: patch edge; rotate creds (admins, VPN, service accts); remove persistence (scheduled tasks, drivers, tunnels).

5. Recover: staged restore; throttle egress; verify with canary files.

6. Notify: regulators & law enforcement; coordinate legal/PR for potential data-leak pressure.

Indicators & reference artifacts (sample, not exhaustive)

• Portals (Tor) and Tox IDs published in open reporting for DF/RansomBay operations; incorporate in intel feeds for blocking/hunt. SentinelOne

• Extensions observed: “*.dragonforce_encrypted”, “.DEVMAN”, plus campaign-specific strings; treat extension as low-fidelity IOC. MicrosoftBroadcom

Sources / further reading

• SentinelOne (May 2, 2025): payload lineage (LockBit → Conti), CLI options, SystemBC, white-label & RansomBay. SentinelOne

• Check Point (May 6, 2025): 20% cut, white-label kits, affiliate absorption post-RansomHub. Check Point Blog

• Trend Micro (Dec 20, 2024 → updated 2025): RansomHub takeover timeline (Mar 31–Apr 8, 2025). Trend Micro

• Sophos (May 21, 2025): cartel rebrand, rival defacements, UK retail campaign; Scattered Spider/GOLD HARVEST links. Sophos News

• Group-IB (Sep 25, 2024): two DF variants, BYOVD, crypto details, SystemBC/Cobalt Strike usage. Group-IB

• Microsoft & Broadcom (2025): observed extensions “.dragonforce_encrypted” and “.DEVMAN” variant. MicrosoftBroadcom

#CyberDudeBivash #DragonForce #Ransomware #RaaS #RansomBay #DoubleExtortion #Ivanti #BYOVD #ESXi #MITREATTACK #DFIR #ThreatIntel