Cyble Research & Intelligence Labs (CRIL) recently discovered evidence suggesting that the threat actors behind the DragonForce ransomware group might have leveraged a leaked LockBit 3.0 (Black) builder to craft their own ransomware builder.
Detailed analysis revealed striking similarities between the binaries generated by the leaked LockBit 3.0 builder and DragonForce’s own ransomware builder. The findings come as part of a larger trend where newer threat actor groups are observed relying on previously-existing malware to form their own operational tools to deploy in campaigns.
DragonForce Ransomware Binary Likely Based on LockBit 3.0 Build
The DragonForce ransomware group began its operations on November 2023, employing double extortion tactics to target victims.
The group is potentially linked to the Malaysian hacktivist group ‘DragonForce’ known for conducting campaigns against various government agencies and organizations present in the Middle East and Asia during 2021 and 2022. While the group is known to have announced its intention to launch ransomware operations in 2022, proper attribution remains difficult due to limited information.
CRIL Researchers recently came across a DragonForce ransomware binary based on a LockBit Black (third-known LockBit variant) binary. The LockBit ransomware builder was known to have been shared on X (Twitter) on September 2022. Ransomware builders allow ransomware operators specific options and customizability while generating ransomware payloads.
The builder included a “config.json” file to customize payloads for functionalities such as encryption, filename encryption, impersonation, file/folder exclusion, exclusion based on languages spoken in CIS (Commonwealth of Independent States) countries, and ransom note templates.
Comparison between a LockBit builder-generated ransomware binary to that of a DragonForce builder generated ransomware binary revealed several similarities in code structure, functions and process termination.
These similarities suggest a strong likelihood that the DragonForce ransomware binary was developed based on the utilisation of the leaked LockBit binary file.
DragonForce Ransomware Operations
Earlier this year in February 2024, DragonForce listed two American companies, ‘Westward360’ and ‘Compression Leasing Services’ as victims on its leak site.
Earlier in December 2023, the group claimed responsibility for an attack where over 600 GB of data was stolen from the Ohio Lottery. The stolen data consisted of both player and employee records with sensitive information such as names, addresses, winnings, dates of birth, and social security numbers. The Ohio Lottery confirmed the cyber-incident and stated that it involved significant data theft.
In the same month, Yakult Australia fell victim to the DragonForce ransomware gang’s operations impacting its Australia and New Zealand divisions with over 95GB of data being stolen in the attack. The Yakult Australia data breach is believed to contain business documents, spreadsheets, credit applications, employee records, and copies of identity documents, including passports.
The company later acknowledged the incident and disclosed details relating to the incident to relevant authorities such as the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre. It is notable that in both attacks, the impacted systems continued to operate normally suggesting the group employs stealthy techniques.
The discovery of DragonForce’s use of a leaked LockBit builder underscores the general conduct of newer ransomware groups employing existing ransomware tools and the interconnected nature of cybercriminal operations. Last year in July 2023, researchers from VMware discovered similarities between the 8Base Ransomware and earlier ransomware groups such as RansomHouse and Phobos.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
