DragonForce Ransomware Group Uses LockBit's Leaked Builder

Written by

A new strain of ransomware called DragonForce has been observed using a leaked ransomware builder from the infamous LockBit ransomware group.

Cyber threat intelligence firm Cyble has revealed that the cybercriminal group was using a ransomware binary based on a leaked builder of LockBit Black ransomware.

Cyble shared its findings after investigating DragonForce’s activity over the past few months in a blog post published on April 24, 2024.

Leaked Ransomware Builders Are a Major Threat

LockBit Black, also known as LockBit 3.0, is the third version of the LockBit group’s ransomware. It was released in March 2022 and leaked six months later by the group's disgruntled developer.

LockBit admins later reacted by launching a so-called new version of their ransomware, called LockBit Green, but it was later reported to be a mere rebranded version of a Conti encryptor.

Although Operation Cronos, an international law enforcement operation, took down the LockBit group's infrastructure in February 2024 the LockBit Black builder is still available for everyone to use.

Cyble Research & Intelligence Labs (CRIL) concluded that DragonForce has been leveraging the leaked builder to develop its own toolset after observing striking similarities in the code structure and functions of its ransomware payload and LockBit Black.

“The discovery of DragonForce ransomware and its links to the leaked builder of LockBit Black ransomware underscores the growing threat posed by the abuse of leaked malware-building tools in cyberattacks. The accessibility of such tools enables threat actors to customize and deploy ransomware payloads with ease, amplifying the risk landscape for organizations globally,” the Cyble researchers wrote.

Read more: Operation Cronos: Who Are the LockBit Admins?

Who is Behind DragonForce?

DragonForce ransomware was first detected in November 2023. The group typically employs a double extortion tactic involving data exfiltration followed by encryption. If the victim fails to pay the ransom, the threat actor publishes the victim’s data on its leak site.

The group has claimed a series of high-profile attacks, with targets including Ohio Lottery, Yakult Australia and Coca-Cola Singapore.

In an unusual turn of events, both DragonForce and LockBit posted ransom notes saying they compromised the government of Palau's IT systems. The alleged victim later denied the claims.

There is also a hacktivist group called DragonForce, based in Malaysia, responsible for various malicious campaigns targeting government agencies and organizations across the Middle East and Asia in 2021 and 2022.

Although this group announced its intention to launch its own ransomware in 2022, it remains unclear if the same people are behind the two entities or if they are linked in any way.

What’s hot on Infosecurity Magazine?