Inside DragonForce Ransomware and Scattered Spider

The cybersecurity landscape faces a significant new challenge with the evolution of the DragonForce ransomware operation into a full-fledged “ransomware cartel.” This strategic shift, coupled with its high-profile partnership with the social engineering experts of Scattered Spider, creates a formidable and adaptive threat to organizations globally. This alliance merges elite initial access techniques with a scalable ransomware service, enabling devastating attacks on high-value targets.

Initially surfacing in 2023, DragonForce has undergone substantial technical development. Its latest variant aggressively disables security measures by exploiting vulnerable drivers like truesight.sys and rentdrv2.sys. Furthermore, the group has patched encryption weaknesses that were previously documented in public forums, demonstrating a responsive approach to improving its malware based on external analysis. The group’s operational tempo has visibly increased, with a growing number of victim organizations listed on its data leak site.

DragonForce began as a Ransomware-as-a-Service (RaaS) operation, initially leveraging a compromised builder for the LockBit 3.0 ransomware before advancing to use modified source code from the notorious Conti v3. Its recent rebranding as a “cartel” signifies a major strategic pivot. By offering affiliates a generous 80% share of profits alongside customizable tools and infrastructure, DragonForce actively lowers the barrier to entry for cybercriminals. This cartel model focuses on recruitment and partnership over deep code customization, enabling rapid scaling and widespread impact.

The group’s most dangerous capability, however, stems from its collaboration with Scattered Spider, a threat actor renowned for sophisticated social engineering. This partnership creates a seamless attack chain. Scattered Spider meticulously researches target organizations, gathering employee details from public sources to craft convincing personas. They then employ advanced tactics like MFA fatigue attacks and SIM swapping to bypass multifactor authentication and gain initial access.

Once inside a network, the group establishes persistence using common remote management tools such as ScreenConnect or AnyDesk. They conduct extensive reconnaissance, targeting credential stores, backup servers, and cloud configuration data. In recent incidents, they have used tools like AWS Systems Manager Inventory to map networks and ETL processes to consolidate stolen data before exfiltrating it to attacker-controlled cloud storage. The final stage involves deploying DragonForce ransomware to encrypt data across Windows, Linux, and ESXi systems.

This cooperative model between specialized threat actors represents a troubling trend in cybercrime. It combines Scattered Spider’s elite human exploitation skills with DragonForce’s efficient ransomware platform, creating a more persistent and damaging threat. Defending against this dual threat requires a multifaceted security approach. Organizations must implement phishing-resistant MFA to counter social engineering and deploy robust endpoint detection and response (EDR) solutions capable of spotting the deployment of remote tools and malicious drivers that signal an impending ransomware attack.

Security teams must now prepare for coordinated, multi-stage intrusions that leverage the combined expertise of a criminal ecosystem. The alliance between DragonForce and Scattered Spider underscores that modern cyber defenses must anticipate these collaborative attack models, where the initial breach is just the first step in a highly organized criminal operation.

(Source: Bleeping Computer)