Modified LockBit and Conti ransomware shows up in DragonForce gang’s attacks

The cybercriminal group known as DragonForce has been attacking the manufacturing, real estate and transportation industries worldwide using modified versions of two notorious ransomware variants, researchers said Wednesday.

The gang’s toolset includes malware based on a leaked LockBit ransomware, as well as a customized Conti variant with advanced features.

The deployment of these malicious tools is “unsurprising,” as modern ransomware operators “are increasingly reusing and modifying builders from well-known ransomware families that were leaked to tailor them to their needs,” said researchers at Singapore-based cybersecurity firm Group-IB. Conti, Babuk and LockBit are among the common families that have been modified.

Over the past year, Group-IB observed DragonForce targeting 82 victims, mostly in the U.S., followed by the U.K. and Australia.

DragonForce works as ransomware-as-a-service and carefully selects its affiliates, preferring experienced cybercriminals who focus on high-value targets, according to the group’s post on the dark web. DragonForce affiliates receive 80% of the ransom. The group allows them to customize its tools for specific attacks, including setting encryption parameters and personalizing ransom notes.

The operators of DragonForce use a double extortion technique, exfiltrating a victim’s sensitive data and threatening to leak it, in addition to encrypting the data on the organization’s servers. . They then demand ransom payments in return for a decryptor and the “promise” that the stolen data will not be released.

This approach adds “significant pressure” on victims to comply with the attackers’ demands, as there could be potential damage to their reputation, privacy, or business continuity if their data is made public, Group-IB said.

In addition to the leaked LockBit 3.0 and Conti builders, DragonForce also uses other tools in its attacks, including the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike also for lateral movement.

Researchers called DragonForce a “formidable adversary” because it targets key industries and employs advanced tools and tactics. The group’s previous attacks include those on probiotic milk drink manufacturer Yakult Australia, the Ohio Lottery, and the government of Palau.

Group-IB did not attribute the attacks to any specific country or individuals. Previously, researchers hinted that the group could be based in Malaysia.