'DragonForce' Emerges as New Ransomware Cartel Built on LockBit and Conti DNA

New Ransomware Cartel 'DragonForce' Emerges, Leveraging LockBit and Conti Code on 'Ransombay' RaaS Platform

HIGH
January 20, 2026
5m read
RansomwareThreat ActorMalware

Related Entities

Threat Actors

DragonForce

Other

RansombayLockBit 3.0 Conti

MITRE ATT&CK Techniques

T1490Impact

Inhibit System Recovery

T1486Impact

Data Encrypted for Impact

T1027Defense Evasion

Obfuscated Files or Information

T1070.004Defense Evasion

File Deletion

Full Report

Executive Summary

A new Ransomware-as-a-Service (RaaS) group, DragonForce, has been identified and is being monitored by security analysts. The group is notable for its strategy, which involves building its malware on the leaked source code of two of the most infamous ransomware families in history: LockBit 3.0 and Conti. DragonForce is marketing its services to affiliates via a platform named 'Ransombay' and appears to be consolidating power by absorbing smaller ransomware operations. This development highlights the continued evolution and industrialization of the ransomware threat, where dismantled groups' tools are quickly repurposed by new actors.

Threat Overview

The emergence of DragonForce as a self-proclaimed "ransomware cartel" is a significant development. By leveraging the proven and effective codebases of LockBit and Conti, the group can bypass much of the initial development effort and immediately deploy a sophisticated and feature-rich ransomware payload. This allows them to focus on recruitment, operations, and marketing their 'Ransombay' platform to a wide pool of potential affiliates. The strategy of absorbing rival groups suggests an ambition to quickly become a dominant player in the RaaS market, similar to how Conti operated at its peak.

Technical Analysis

While specific attacks have not yet been detailed, the malware's lineage provides insight into its likely capabilities:

  • Inherited TTPs: The ransomware payload will likely incorporate the most effective features from both LockBit and Conti.
    • From Conti: Advanced lateral movement capabilities using tools like PsExec, multi-threading for rapid encryption, and the double-extortion model with a dedicated leak site.
    • From LockBit 3.0: Highly efficient and fast encryption, advanced anti-debugging and evasion techniques, and the ability to delete Volume Shadow Copies to inhibit recovery (T1490 - Inhibit System Recovery).
  • RaaS Platform ('Ransombay'): This platform will provide affiliates with the ransomware builder, a management panel to track victims, and a negotiation portal. This lowers the barrier to entry for less skilled criminals to conduct ransomware attacks (T1608.003 - Install Digital Certificate).
  • Likely Attack Chain: Affiliates will use common initial access vectors (phishing, stolen credentials, vulnerability exploitation) to gain entry, then use the DragonForce payload to encrypt the network and exfiltrate data.

Impact Assessment

The emergence of a well-organized group like DragonForce, armed with top-tier ransomware code, increases the threat level for organizations globally. The group's professionalized approach and RaaS model mean we can expect an increase in the frequency and scale of attacks as they onboard more affiliates. The use of proven code means that many existing defenses may be challenged. The cartel-like strategy could also lead to less competition and more collaboration among top-tier criminals, further refining their TTPs and increasing their success rate.

IOCs

Type Value Description
Threat Actor DragonForce The name of the new RaaS group.
Malware Ransombay The name of the RaaS platform operated by DragonForce.

Cyber Observables for Detection

As DragonForce uses Conti and LockBit code, observables for those families are relevant for hunting:

Type Value Description Context Confidence
command_line_pattern vssadmin.exe delete shadows /all /quiet Classic ransomware behavior to prevent system restore. A key indicator for LockBit and Conti. EDR logs, PowerShell logs high
file_name *.lockbit The file extension used by LockBit. DragonForce may adopt a similar or new unique extension. File integrity monitoring medium
process_name rundll32.exe Conti was known to use rundll32.exe to execute its malicious DLL. Monitor for this process spawning from unusual parent processes. EDR process relationship monitoring medium
string_pattern Conti or LockBit The leaked source code may still contain strings or artifacts from the original malware families. Memory scanning with YARA, static file analysis low

Detection & Response

  • Behavioral Detection: Focus on detecting the behaviors of ransomware, not just signatures. EDR tools should be configured to alert on processes that rapidly read/write/rename large numbers of files, delete shadow copies, or disable security tools.
  • D3FEND: Process Analysis (D3-PA): Since the code is based on known families, existing behavioral rules in EDRs for detecting Conti and LockBit should be effective against DragonForce, provided they haven't significantly altered the core logic.
  • Threat Intelligence: Monitor threat intelligence feeds for new IOCs (hashes, C2 domains, wallet addresses) associated with DragonForce and its Ransombay platform as they become available.

Mitigation

Defenses against DragonForce are the same as for other top-tier ransomware groups:

  • Security Fundamentals: Implement robust patch management, enforce MFA on all external services, and maintain a principle of least privilege.
  • Immutable Backups: This is the single most important mitigation. Maintain tested, offline, and immutable backups to ensure you can recover without paying a ransom.
  • Network Segmentation: Prevent lateral movement by segmenting the network. This can contain an infection to a single segment and prevent a full-scale enterprise-wide encryption event.
  • User Training: Train users to spot and report phishing, a primary initial access vector for ransomware affiliates.

Timeline of Events

1
January 20, 2026
This article was published

MITRE ATT&CK Mitigations

Antivirus/Antimalware

M1049enterprise

Use modern EDR solutions with behavioral detection capabilities to identify ransomware activities, as signatures will be less effective against repurposed code.

Mapped D3FEND Techniques:

D3-PA

Multi-factor Authentication

M1032enterprise

Enforce MFA everywhere to protect against the common affiliate tactic of using stolen credentials for initial access.

Mapped D3FEND Techniques:

D3-MFA

Privileged Account Management

M1026enterprise

Strictly control and monitor the use of domain admin and other privileged accounts to limit the blast radius of an attack.

D3FEND Defensive Countermeasures

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Given that DragonForce is built on the DNA of Conti and LockBit, the most effective detection strategy is to focus on their known behaviors. Deploy an EDR solution and ensure it is tuned to detect the specific TTPs of these families. This includes creating high-priority alerts for: 1) Processes deleting volume shadow copies (vssadmin.exe delete shadows). 2) Attempts to stop or kill security products and database services. 3) Rapid file enumeration and encryption activity originating from a single process. Because DragonForce is a new variant, signature-based detection will fail, but behavioral analysis based on its well-understood predecessors will remain highly effective.

Decoy Environment

D3-DEMaps to MITREM1056
D3FEND

Deploy deception technology, including decoy systems and user accounts (honeytokens), throughout the network. Since ransomware affiliates must perform discovery and lateral movement, they are likely to interact with these decoys. A honeytoken domain admin account that is never used for legitimate purposes can be created; any authentication attempt with this account is a high-fidelity indicator of compromise. Similarly, decoy network shares filled with fake documents can be set up. Any access to these shares should trigger an immediate alert, providing early warning that an attacker is moving through the network, long before they deploy the DragonForce payload.

Sources & References

Daily Ransomware Report January 19 2026
Purple Ops (purpleops.com) January 20, 2026
Ingram Micro says ransomware attack affected 42,000 people (Context on RaaS evolution)
BleepingComputer (bleepingcomputer.com) January 19, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ransomwareRaaSDragonForceRansombayLockBitConticybercrime

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next