Close Menu
Cybercrime and Ransomware

Researchers Uncover DragonForce Ransomware and Release Decryptor for ESXi & Windows

Staff WriterBy No Comments4 Mins Read0 Views

Essential Insights

  1. DragonForce is a newly emerging ransomware targeting Windows and VMware ESXi, with operations moving from public forums to full RaaS deployment since December 2023.
  2. It is built using leaked LockBit 3.0 and Conti code, optimized for flexible, high-speed encryption of local and network data, often after initial access via exposed RDP servers.
  3. A deobfuscation routine and strong encryption (ChaCha8 and RSA-4096) make it resilient, but researchers have developed specific decryptors for both Windows and ESXi systems.
  4. The ransomware’s workflow involves configuration decryption, targeted file encryption, and appending encrypted metadata, with options for operators to customize attack modes and speeds.

The Issue

In December 2023, the cybersecurity community uncovered DragonForce, a new ransomware strain evolving from the dark web’s Ransomware-as-a-Service (RaaS) landscape. The group initially surfaced on BreachForums, actively promoting stolen data while exploiting vulnerabilities in both Windows and VMware ESXi environments. Its development stemmed from repurposed code from LockBit 3.0 and Conti, but with distinct enhancements allowing swift, flexible encryption across local disks and network shares. The attackers typically gain entry by exploiting exposed remote desktop servers, employing tools like Cobalt Strike and SystemBC to lateral movement, which ultimately facilitates the deployment of the ransomware and the theft of data, often prepped for public release.

Researchers, notably from S2W, analyzed DragonForce’s technical architecture, revealing a custom build that deobfuscates its code through a proprietary routine and encrypts files using ChaCha8 combined with RSA-4096 encryption. They observed that the operators can modify attack modes—local, network, or mixed—and adjust encryption intensity for efficiency. Importantly, S2W developed decryptors capable of restoring affected files on Windows and ESXi systems, offering victims a pathway to recovery without payment. These tools specifically target files with particular extensions and metadata markers, parsing decryption keys through a comprehensive process chain. Consequently, this detailed breakdown provides valuable insights into DragonForce’s operational mechanics and potential recovery strategies, enhancing defenders’ ability to counteract such threats.

What’s at Stake?

The issue of researchers breaking down DragonForce ransomware, along with its decryptor, can happen to your business unexpectedly. Ransomware like DragonForce can infiltrate your network through phishing emails, malicious links, or unpatched vulnerabilities. Once inside, it encrypts critical data on both ESXi servers and Windows systems, rendering your operations non-functional. This disruption leads to significant downtime, loss of revenue, and damage to your reputation. In addition, recovering without paying the ransom can be challenging, even with decryptors now available. Therefore, robust security measures, regular backups, and proactive monitoring are crucial to prevent such devastating attacks that can cripple your business’s productivity and financial stability.

Possible Action Plan

In the landscape of cyber threats, timely remediation is critical to minimizing damage, restoring operations, and safeguarding sensitive information, especially when combating sophisticated ransomware like Researchers Breakdown DragonForce that targets both ESXi and Windows environments.

Containment Measures

  • Isolate affected systems immediately to prevent spread.
  • Disable network connectivity for compromised devices.

Assessment & Identification

  • Conduct a thorough investigation to understand the scope of infection.
  • Identify and document affected systems and files.

Eradication Strategies

  • Remove malicious files and malware remnants.
  • Apply security patches and updates to vulnerable systems.

Recovery Procedures

  • Use available decryptors for affected systems when possible.
  • Restore data from secure, offline backups.

Prevention & Hardening

  • Implement strong access controls and multi-factor authentication.
  • Enable security features like firewalls, intrusion detection, and endpoint protection.

Communication & Reporting

  • Notify stakeholders and relevant authorities as required.
  • Document response efforts and lessons learned for future mitigation.

Explore More Security Insights

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.