DragonForce Ransomware [1] [2], a new strain utilizing double extortion tactics, has recently emerged in November 2023.


This ransomware group has been observed using a leaked builder from the LockBit ransomware group to develop its own toolset, with similarities in code structure and functions [1]. DragonForce targets high-profile organizations such as Ohio Lottery [1], Yakult Australia [1], and Coca-Cola Singapore [1], employing data exfiltration followed by encryption [1]. In an unusual turn of events [1], both DragonForce and LockBit claimed to have compromised the government of Palau’s IT systems [1], although the alleged victim denied the claims [1]. Additionally, there is a hacktivist group called DragonForce based in Malaysia [1] [2], responsible for various malicious campaigns targeting government agencies and organizations across the Middle East and Asia in 2021 and 2022 [1]. The group leaks victim data on their site if ransom is not paid [2], terminating processes and services for faster encryption [2], renaming files with a unique extension [2], and dropping a ransom note [2]. The discovery of DragonForce ransomware highlights the threat of leaked malware-building tools in cyberattacks [2], emphasizing the need for cybersecurity best practices to prevent and respond to ransomware attacks [2].


The emergence of DragonForce ransomware underscores the importance of robust cybersecurity measures to protect against evolving threats. Organizations must prioritize security protocols, employee training, and incident response plans to mitigate the risks posed by ransomware attacks. The use of leaked builder tools in cyberattacks serves as a stark reminder of the need for vigilance and proactive defense strategies in the face of increasingly sophisticated threats.


[1] https://www.infosecurity-magazine.com/news/dragonforce-ransomware-lockbit/
[2] https://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/