Modified LockBit and Conti ransomware shows up in DragonForce gang’s attacks

Avatar

The cybercriminal group known as DragonForce has been attacking the manufacturing, real estate and transportation industries worldwide using modified versions of two notorious ransomware variants, researchers said Wednesday.

The gang’s toolset includes malware based on a leaked LockBit ransomware, as well as a customized Conti variant with advanced features.

The deployment of these malicious tools is “unsurprising,” as modern ransomware operators “are increasingly reusing and modifying builders from well-known ransomware families that were leaked to tailor them to their needs,” said researchers at Singapore-based cybersecurity firm Group-IB. Conti, Babuk and LockBit are among the common families that have been modified.

Over the past year, Group-IB observed DragonForce targeting 82 victims, mostly in the U.S., followed by the U.K. and Australia.

DragonForce works as ransomware-as-a-service and carefully selects its affiliates, preferring experienced cybercriminals who focus on high-value targets, according to the group’s post on the dark web. DragonForce affiliates receive 80% of the ransom. The group allows them to customize its tools for specific attacks, including setting encryption parameters and personalizing ransom notes.

The operators of DragonForce use a double extortion technique, exfiltrating a victim’s sensitive data and threatening to leak it, in addition to encrypting the data on the organization’s servers. . They then demand ransom payments in return for a decryptor and the “promise” that the stolen data will not be released.

This approach adds “significant pressure” on victims to comply with the attackers’ demands, as there could be potential damage to their reputation, privacy, or business continuity if their data is made public, Group-IB said.

In addition to the leaked LockBit 3.0 and Conti builders, DragonForce also uses other tools in its attacks, including the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike also for lateral movement.

Researchers called DragonForce a “formidable adversary” because it targets key industries and employs advanced tools and tactics. The group’s previous attacks include those on probiotic milk drink manufacturer Yakult Australia, the Ohio Lottery, and the government of Palau.

Group-IB did not attribute the attacks to any specific country or individuals. Previously, researchers hinted that the group could be based in Malaysia.

MalwareNewsNews BriefsIndustryCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Cybercriminals target transportation companies in North America with info-stealing malware

Next Post

G7 cyber group warns financial sector to prep for quantum computing risks

Related Posts

New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub
Avatar
Read More