The DragonForce ransomware group has quickly drawn attention in the cybercrime world due to their aggressive tactics and impact. Originating from Malaysia, DragonForce has become notorious for carrying out politically motivated attacks, particularly targeting government institutions, commercial enterprises, and websites aligned with certain geopolitical causes. Their motivations and methods, coupled with their adaptive nature, make them a formidable force in the world of cybercrime.
The group first gained recognition by fellow ransomware groups in late 2023. While their motives are primarily political, their attacks span a wide range of industries and geographical regions. DragonForce is often associated with pro-Palestinian sentiments, using cyberattacks as a tool to advance its cause. The group has claimed responsibility for a variety of defacement attacks, distributed denial-of-service (DDoS) assaults, and data leaks, particularly targeting entities from Israel and India.
Their operations reflect a commitment to not only causing disruption but also making political statements through digital means. This combination of activism and cybercrime places DragonForce in the unique category of hacktivists, where political motivations drive its attacks as much as, if not more than, financial gain.
Country of Origin
DragonForce is a Malaysia-based ransomware group.
Targeted Industries and Geographical Scope
Targeted Countries and Origin (Source: Cyble Vision)
DragonForce has demonstrated a wide-ranging appetite for targets across various sectors. Its primary targets include industries that handle sensitive information, critical infrastructure, and large-scale systems. Below is an overview of industries that have fallen victim to its attacks:
- Aerospace & Defense
- Agriculture & Livestock
- Automotive
- Banking, Financial Services, and Insurance (BFSI)
- Chemicals
- Construction
- Consumer Goods
- Education
- Energy & Utilities
- Food & Beverages
- Government & Law Enforcement Agencies (LEA)
- Healthcare
- Hospitality
- IT & IT-enabled Services (ITES)
- Manufacturing
- Media & Entertainment
- Metals, Minerals & Mining
- Pharmaceuticals & Biotechnology
- Professional Services
- Real Estate
- Retail
- Technology
- Telecommunications
- Transportation & Logistics
The group’s global reach is equally notable. Beyond targeting local entities in Malaysia, they have engaged in cyberattacks on government institutions and corporations across multiple countries, including Israel, India, and various others worldwide. The group’s activities often target entities tied to political or economic entities they oppose, further highlighting their motivations as more aligned with cyberwarfare than traditional cybercrime.
Tactics, Techniques, and Procedures (TTPs)
DragonForce’s attack methods and techniques are diverse, utilizing a range of sophisticated tactics to gain access to its targets and achieve its objectives. Below is an exploration of its primary tactics, as well as its techniques.
Malicious File
One of DragonForce’s most used methods for gaining access to its targets is the delivery of malicious files. These files are often disguised as legitimate attachments, and they rely heavily on social engineering tactics to entice victims into executing them. Once the file is opened, the malware inside can execute its payload, often leading to an immediate compromise of the system. The types of files used in these attacks can include:
- Documents (.doc, .pdf, .xls)
- Scripts (.exe, .scr, .lnk)
- Compressed files (.zip, .rar) The group’s ability to mask malicious files as benign documents or media increases the likelihood of success, making them a common entry vector in DragonForce’s operations.
File Deletion and Tool Modification
In the world of cyberattacks, maintaining a low profile is crucial, and the DragonForce ransomware group has perfected the art of evasion. To cover their tracks and minimize their footprint, they employ tactics like file deletion, ensuring that any files left behind by their intrusion are removed from the system. This helps them avoid detection by security professionals and extends the duration of the attack.
Common methods include using command-line tools such as “del” on Windows or “rm” on Linux/macOS. Another key technique used to evade detection involves disabling or modifying security tools on compromised systems. This could involve disabling antivirus software, tampering with registry entries, or manipulating security settings to prevent detection and analysis.
File and Directory Discovery
After establishing access to a target system, DragonForce proceeds with an exploration phase. During this phase, they enumerate files and directories across the system to identify valuable data and potential targets. Using command-line utilities such as “dir,” “ls,” or “find,” the attackers scan for files of interest that may hold sensitive or valuable data. This process is critical for identifying assets that can be exfiltrated or encrypted during the later stages of the attack.
Data Encryption for Impact
One of the most damaging outcomes of a DragonForce attack is data encryption. Similar to traditional ransomware groups, DragonForce is known to encrypt data on compromised systems, rendering it inaccessible to victims. This can result in operational disruption, especially for organizations that rely on their data for daily functions. In some cases, the group demands ransom payments in exchange for decryption keys, but more often, the encryption is used to disrupt operations rather than for financial gain.
Data Leaks
DragonForce’s attacks often go beyond encryption. The group has been known to exfiltrate sensitive data before locking victims out of their systems. The stolen data is then publicly leaked, typically on forums or websites that cater to the hacking community. The release of this data serves two purposes: it increases the pressure on the targeted organization to comply with the group’s demands, and it furthers its political agenda by embarrassing its targets.
Recent Attacks and Publicity
As of January 2025, DragonForce remains an active ransomware group, with its operations capturing global attention due to its involvement in numerous high-profile cyberattacks.
One of their most notorious incidents occurred on Christmas Eve 2023, when they claimed responsibility for a cyberattack that exposed personal data of over 500,000 individuals.
Another attack involved a credential-stuffing incident affecting approximately 567,000 users, which was mitigated through password resets and the enforcement of two-factor authentication.
In 2024, DragonForce targeted a public transportation service, exfiltrating hundreds of gigabytes passenger data and threatening to release it, highlighting the risks posed to both public services and personal information.
The group’s reach extends beyond these instances, with various international corporations also falling victim to their cyberattacks, resulting in several data leaks and disruptions across multiple sectors worldwide.
Conclusion
The DragonForce ransomware group is a highly organized and politically motivated collective, with a growing reputation for its disruptive tactics and international reach. From government institutions to global corporations, their attacks methods are diverse and unpredictable. As organizations face increasing risks from such groups, leveraging cutting-edge cybersecurity platforms like those offered by Cyble, which provides advanced AI-driven threat intelligence, is crucial for protecting against these cyber adversaries. Cyble’s innovative solutions, such as real-time intelligence, proactive threat detection, and comprehensive vulnerability management, empower businesses to safeguard against attacks like those orchestrated by groups such as DragonForce.
Mitigation and Defense Strategies
Organizations that fall victim to DragonForce’s attacks can take several steps to step up their defenses against similar future incidents:
- Enhanced Email Security and Awareness: Since DragonForce often relies on phishing emails to deliver malicious files, companies should invest in better email security solutions and employee training to recognize and report phishing attempts.
- Regular Patch Management: DragonForce’s success often hinges on exploiting unpatched vulnerabilities. Keeping systems updated with the latest security patches is crucial for defending against known exploits.
- Multi-Factor Authentication (MFA): Enforcing MFA for all user accounts, especially those with administrative privileges, can prevent attackers from gaining full access to systems.
- Data Encryption and Backup: Encrypting sensitive data and maintaining regular, offline backups can mitigate the impact of a ransomware attack and reduce the likelihood of a successful extortion attempt.
- Network Segmentation and Monitoring: Implementing network segmentation and continuous monitoring can limit the ability of attackers to move laterally within an organization and help detect anomalies early.
Implementing these strategies is crucial, but staying ahead of emerging threats requires real-time intelligence. Cyble Vision provides actionable threat insights to help organizations proactively defend against ransomware groups like DragonForce. To see Cyblein Action, request a free Demo Today!
MITRE Attack Techniques Associated with the DragonForce Ransomware Group
MITRE ATT&CK (Source: Cyble Vision)
- Execution (TA0002): Ransomware groups such as DragonForce use social engineering to get users to open malicious files, such as .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl, which may be disguised with familiar naming conventions or password protection to trigger execution.
- Defense Evasion (TA0005): Adversaries delete files created during an intrusion to cover their tracks and minimize their footprint, often using built-in tools like del on Windows or rm on Linux/macOS.
- Defense Evasion (TA0005): Hackers disable or modify security tools to avoid detection, such as killing processes, altering registry keys, or disabling security software updates and cloud monitoring agents.
- Discovery (TA0007): Cybercriminals use tools like dir, tree, ls, find, or custom scripts to enumerate files and directories on the target system or network to gather information for follow-up actions.
- Impact (TA0040): Adversaries encrypt data to disrupt access to system resources, demanding a ransom for decryption or rendering data permanently inaccessible while potentially propagating malware across the network.
