DragonForce Ransomware

Description

DragonForce is a Ransomware-as-a-Service (RaaS) cartel that emerged in late 2023, known for recruiting affiliate hackers and other RaaS groups to deploy its ransomware under a white-label model. The group has been linked to high-profile attacks, often exploiting known vulnerabilities (such as CVE-2021-44228, CVE-2023-46805, and others) and tools like BYOVD, SimpleHelp, and SystemBC malware. U.S. government advisories highlight DragonForce’s collaboration with the Scattered Spider group, targeting critical infrastructure and leveraging double-extortion tactics. There is also suspected connections or colloboration to Conti as well.

Objectives

Financia Gain, Hacktivism

Known Infection Vectors

• Infection Vector
• Exploiting Vulnerabilities
• Lateral Movement
• Malvertising
• Phishing Emails
• RDP Brute-Force
• Supply Chain Attacks

References

CISA and Partners Release Updated Advisory on Scattered Spider Group
https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-and-partners-release-updated-advisory-scattered-spider-group

Scattered Spider Cybersecurity Advisory (AA23-320A)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

IC3 Product ID: AA23-320A July 29, 2025 Scattered Spider (PDF)
https://www.ic3.gov/CSA/2025/250729.pdf

Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a