DragonForce Cartel: The New Conti Ransomware Threat

A new and formidable ransomware operation, calling itself DragonForce, has emerged by building directly upon the infamous Conti ransomware’s leaked source code. This group exhibits cartel-like ambitions, organizing coordinated attacks and actively recruiting other cybercriminals through a shared platform. Unlike traditional ransomware-as-a-service models, DragonForce encourages its affiliates to develop their own branded variants, effectively creating a decentralized criminal network.

Security researchers from the Acronis Threat Research Unit confirm that DragonForce retains the core technical blueprint of Conti. It employs the same powerful combination of ChaCha20 and RSA encryption, generating a unique key for every file it encrypts. A small, ten-byte metadata block is appended to each file, encoding specific details about the encryption mode and file characteristics. The group has demonstrated its operational seriousness by publicly threatening to destroy decryptors and leak stolen data on specific dates, including September 2 and September 22.

From a technical standpoint, the ransomware is designed to encrypt data on local drives and across network shares using the Server Message Block (SMB) protocol. Analysts have observed that it runs unchanged Conti-style routines, but it also incorporates a hidden configuration system that supersedes any visible command-line parameters. The malware supports multiple encryption modes to suit different attack scenarios, including a Full mode (0x24) for complete encryption, a Partial mode (0x25), and a Header-only mode (0x26) that can still render files inaccessible.

The growth of DragonForce’s affiliate network is a key indicator of its expanding influence. The emergence of the Devman group serves as a prime example of its recruitment model. Devman initially deployed a variant based on the Mamona ransomware before fully transitioning to a strain built with DragonForce’s tools. The ransom notes used by both strains were nearly identical, suggesting a smooth migration into the DragonForce ecosystem to take advantage of its superior infrastructure and tooling.

DragonForce has also formed a significant partnership with Scattered Spider, a cybercrime group renowned for its skill in gaining initial access to corporate networks. This alliance has been linked to high-profile incidents, including an attack on UK retailer Marks & Spencer, which researchers attribute to collaborative efforts between the two groups shortly after DragonForce announced its “cartel” rebranding.

In a display of aggressive market dominance, DragonForce has engaged in hostile actions against its rivals. The group defaced the leak site of the BlackLock ransomware operation and attempted to seize control of Ransomhub’s servers. This pressure campaign appears to have been successful, potentially driving some Ransomhub affiliates to seek refuge with competing groups like Qilin and DragonForce itself. Security firm Acronis noted that by adopting the “cartel” identity, DragonForce sought to amplify its influence and solidify alliances, proving its clout by directly attacking competitor infrastructure.

To defend against threats like DragonForce, organizations are urged to adopt a multi-layered security strategy. Implementing robust, isolated backup practices is considered fundamental for recovery. It is also critical to restrict lateral movement across a network through segmentation and to diligently monitor for any unusual access attempts to shared resources. Consistent software patching, advanced endpoint protection solutions, and comprehensive user awareness training form the essential defensive layers needed to protect against financially motivated threat actors looking for any vulnerability to exploit.

(Source: Info Security)