Conti's Ghost: New 'DragonForce' Ransomware Adopts Cartel Model
DragonForce Ransomware Emerges, Using Leaked Conti Code and a 'Cartel-Style' Affiliate Model
Related Entities
Threat Actors
Organizations
Products & Tech
Full Report
Executive Summary
The cybercrime landscape continues to evolve with the emergence of DragonForce, a new ransomware group built upon the leaked source code of the notorious Conti operation. Researchers from the Acronis Threat Research Unit have analyzed this new threat, highlighting its unique 'cartel-style' business model. Unlike a typical Ransomware-as-a-Service (RaaS) where affiliates use a centralized platform, DragonForce provides its partners with a malware builder. This allows affiliates to generate their own distinct, branded ransomware variants while leveraging the proven and potent Conti codebase. This model lowers the barrier to entry for sophisticated attacks and signals a dangerous trend of modularization in the ransomware ecosystem.
Threat Overview
DragonForce represents the dangerous second life of leaked source code from major threat groups. After the Conti leaks in 2022, its code became a valuable resource for other criminals. DragonForce has capitalized on this by creating a framework that empowers other, smaller groups. They actively recruit affiliates and equip them with the tools to launch their own campaigns.
This 'cartel' model means that instead of a single DragonForce ransomware, we may see numerous variants with different names and ransom notes, all stemming from the same core builder. One such group, identified as 'Devman,' has already been observed deploying ransomware created using the DragonForce platform. The DragonForce operators themselves are active, having issued public threats to leak victim data, indicating ongoing campaigns against unspecified targets.
Technical Analysis
At its core, the DragonForce ransomware is technically a derivative of Conti. Key characteristics include:
- Encryption: It uses the same combination of ChaCha20 for file content encryption and RSA for key protection, a fast and secure scheme.
- Lateral Movement: The malware retains Conti's ability to spread across a network by exploiting the Server Message Block (SMB) protocol, enabling it to infect multiple systems from a single entry point. This corresponds to
T1021.002 - SMB/Windows Admin Shares. - Impact: As with Conti, it performs
T1486 - Data Encrypted for Impactand likely deletes shadow copies viaT1490 - Inhibit System Recoveryto hinder restoration efforts. - Metadata: Each encrypted file includes a metadata block that specifies the encryption mode and size, a technical fingerprint inherited from its predecessor.
Impact Assessment
The emergence of DragonForce and its cartel model has several significant implications for the threat landscape:
- Proliferation of Threats: By providing a builder, DragonForce makes it easier for less-skilled actors to launch sophisticated ransomware attacks, increasing the overall volume of threats.
- Attribution Challenges: The use of multiple branded variants by different affiliate groups will make it more difficult for researchers and law enforcement to track and attribute attacks to a single source operation.
- Lowered Barrier to Entry: This model effectively democratizes advanced ransomware, turning the Conti source code into a reusable and customizable weapon for a wider criminal audience.
Cyber Observables for Detection
Since DragonForce is based on Conti, defenders can hunt for Conti-like TTPs:
| Type | Value | Description |
|---|---|---|
| command_line_pattern | net view or net use |
Used for network reconnaissance to find shares for lateral movement. |
| network_traffic_pattern | High volume of SMB traffic (port 445) | Indicates attempts to spread across the network. |
| process_name | vssadmin.exe |
Used with Delete Shadows argument to inhibit system recovery. |
| file_name | readme.txt or similar |
Common ransom note name used by Conti variants. |
Detection & Response
Defending against Conti-derived threats requires a multi-layered approach.
- Network Monitoring: Actively monitor for unusual SMB activity, especially widespread scanning on port 445 from a single host. This can be an early indicator of lateral movement attempts. D3FEND's
Network Traffic Analysisis key. - EDR/XDR: Deploy an EDR solution capable of detecting Conti's known behaviors, such as the specific command-line arguments used to delete shadow copies, disable security tools, and enumerate network shares.
- Deception Technology: Use honeypots and honeytokens (decoy files and accounts) to detect reconnaissance and lateral movement. An alert on an unused 'admin' account or a fake network share provides a high-fidelity signal of an intrusion.
Mitigation
- Network Segmentation: Implement robust network segmentation to limit the blast radius of a ransomware attack. If an attacker compromises one segment, they should not be able to easily spread to critical servers in another. This is a core principle of D3FEND's
Network Isolation. - Patch Management: Keep all systems, especially those with SMB services, fully patched to prevent exploitation of known vulnerabilities for lateral movement.
- Immutable Backups: Maintain offline and immutable backups of critical data. Follow the 3-2-1 rule (three copies, on two different media, with one offsite) and regularly test your restoration process. This is the ultimate defense against data encryption.
Timeline of Events
MITRE ATT&CK Mitigations
Network Segmentation
Segmenting the network can contain the spread of ransomware that uses SMB for lateral movement.
Antivirus/Antimalware
Modern EDR/antivirus solutions can detect and block known Conti behaviors and signatures.
Operating System Configuration
Hardening OS configurations, such as disabling SMBv1 and restricting administrative shares, can reduce the attack surface.
D3FEND Defensive Countermeasures
The ultimate safeguard against ransomware like DragonForce is a robust and tested backup strategy. Organizations must implement the 3-2-1 backup rule: maintain at least three copies of data, on two different types of media, with one copy stored offline and immutable (air-gapped or on write-once media). Since DragonForce, like Conti, actively attempts to delete shadow copies and other local backups, having an off-site, disconnected copy is non-negotiable. Regular, automated testing of the restoration process is equally critical to ensure that backups are viable and that recovery time objectives (RTOs) can be met in a real incident.
To counter the SMB-based lateral movement used by DragonForce and Conti, strong network segmentation is essential. Critical assets, such as domain controllers, databases, and backup servers, should be placed in highly restricted network segments. Firewall rules should be configured with a default-deny policy, only allowing traffic on specific ports and protocols that are absolutely necessary for business functions. East-west traffic between server VLANs should be heavily scrutinized and monitored. This 'zero-trust' approach to internal networking can contain a ransomware infection to a single segment, preventing it from spreading throughout the entire enterprise and significantly reducing the overall impact of an attack.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats