Author(s): Vlad Pasca
- DragonForce ransomware deploys payloads derived from leaked LockBit3.0 and Conti source code
- DragonForce logs all its activity in an encrypted log file stored in the Public directory
- The new ransomware employs the "stack strings" obfuscation technique to hide information
- The encryption percentage of a file is determined by both file size and whether the extension is included in the ransomware's targeted list
- DragonForce ransomware uses the ChaCha8 algorithm, with the encryption key and nonce protected by the public RSA key
DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several unique ways.
Hybrid Analysis research reveals that DragonForce employs the "stack strings" obfuscation technique to hide sensitive information from security tools and analysts, making detection and analysis efforts difficult. When targeting systems, it also implements a selective encryption strategy where the encryption percentage of a file varies based on both file size and whether the file extension appears on its predetermined target list.
The DragonForce sample analyzed by Hybrid Analysis uses the ChaCha8 algorithm for file encryption while protecting the encryption keys and nonce values with RSA encryption to prevent recovery. This combination of proven encryption methods with obfuscation and targeting strategies makes DragonForce a concerning evolution in the ransomware landscape.
The following analysis provides a comprehensive view of DragonForce ransomware's capabilities through both behavioral observations using Hybrid Analysis and in-depth technical analysis of a publicly available sample.
A Hybrid Analysis Perspective
A quick glance at the Hybrid Analysis report reveals the malware has the ability to import cryptographic keys (for example, public RSA keys), which is a telltale sign of ransomware behavior:
Figure 1 - CryptImportKey API is used
Using Yara rules, the sandbox environment detected that DragonForce implements the ChaCha encryption algorithm, as shown in the following output:
Figure 2 - ChaCha algorithm identified
As shown in Figure 3, the DragonForce ransomware leverages the NetShareEnum API to discover and target network shares for encryption.
Figure 3 - Network shares could be encrypted by the ransomware
In the same Hybrid Analysis report, we notice the malware’s use of FindFirstFileW and FindNextFileW functions. This strongly suggests file enumeration behavior typical of ransomware preparing to encrypt all accessible drives:
Figure 4 - The presence of both APIs indicates file enumeration
A Deeper Dive Into DragonForce
Defense Evasion
The DragonForce ransomware binary employs “stack strings” obfuscation, a technique where encrypted strings are stored on the stack and only decrypted to an array allocated at runtime. This approach helps to evade static analysis and signature-based detection.
Figure 5 - Stack strings are decrypted using multiple operations
Figure 6 - Plaintext string after decryption
As shown in Figure 7, DragonForce maps multiple DLLs into the address space of the current process using the CreateFileMappingW and MapViewOfFile APIs. The following DLLs were mapped: kernel32.dll, ws2_32.dll, advapi32.dll, RstrtMgr.dll, ole32.dll, netapi32.dll, IPHLPAPI.dll, shlwapi.dll, shell32.dll, and ntdll.dll. The malware uses the content of those fresh-mapped DLLs as a bypass technique, in order to replace the hooks placed from security vendors in the above DLLs.
Figure 7 - Mapping DLLs
The malware verifies if one of the DLLs listed above contains hooks in one of its functions; if so, it modifies the protection of the function code to 0x40 (PAGE_EXECUTE_READWRITE) and writes the unhooked code from the fresh-mapped DLLs (so not hooked). It then restores the old memory protection, as highlighted below:
Figure 8 - Remove the installed hooks
The ransomware decrypts a predefined list of folders and file extensions that will be excluded from encryption. This selective targeting is intentional, as the malware deliberately avoids encrypting critical system files to ensure the compromised machine remains operational:
- Excluded folders: "tmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, Boot, Windows, perflogs, Public"
- Excluded files extensions: “.exe, .dll, .lnk, .sys, .msi, .bat”
The ransomware terminates specific processes to prevent file-locking conflicts that would interfere with its encryption routine. The full list of processes can be found in the Appendix.
Figure 9 - Processes to kill
DragonForce extracts the command-line parameters and compares them with the following list: “-p”, “-m”, “-log”, “-size”, and “-nomutex”. The list is the same as the one used by the Conti ransomware, which may suggest that DragonForce could be developed using Conti’s leaked source code.
Figure 10 - Command-line parameters are compared with a list
DragonForce maintains operational logs by writing encrypted activity records to a file named “log.log” stored in the Public directory. This encrypted logging mechanism helps conceal the ransomware's actions while providing detailed execution information.
The malware uses OpenProcessToken to open the access token associated with the current process (0x8 = TOKEN_QUERY):
Figure 11 - OpenProcessToken API call
Afterward, the malicious process retrieves the username from the above token using the GetTokenInformation and LookupAccountSidW methods:
Figure 12 - Username retrieval
It then proceeds to create two new threads that will handle the killing of the targeted processes:
Figure 13 - New threads are created to stop the targeted processes
To ensure that only one copy is running at a single time (Figure 14), DragonFore creates a mutex called “hsfjuukjzloqu28oajh727190”.
Figure 14 - Named mutex is created
To speed up the file system encryption operations, the executable creates multiple threads, equal to the number of processors (obtained via a function call to GetNativeSystemInfo) times two:
Figure 15 - Encryption threads
The sample searches for the “explorer.exe” process through the running processes using Process32FirstW and Process32NextW, as highlighted below.
Figure 16 - Ransomware is looking for the “explorer.exe” process
All of the above reveal that DragonForce employs anti-analysis methods including stack strings obfuscation, as well as selective targeting approach, multi-threaded encryption and command-line parameterization similar to Conti ransomware.
Volume Shadow Copies Deletion
When it comes to deleting Volume Shadow copies to prevent data recovery, DragonForce leverages COM: it creates an IWbemClassObject object, and then an IWbemContext interface using the CoCreateInstance function.
Figure 17 - CoCreateInstance API calls
Figure 18 - CLSIDs for IWbemClassObject and IWbemContext
It uses WMI’s query “SELECT * FROM Win32_ShadowCopy" to extract the shadow copies and deletes them using the Delete method:
Figure 19 - Retrieve the Windows Shadow Copies
The malware retrieves all valid drives on the system that will be transmitted to the encryption threads (see Figure 20).
Figure 20 - GetLogicalDriveStringsW API call
The malware uses the ZwQuerySystemInformation function to obtain an array of SYSTEM_PROCESS_INFORMATION structures, representing the running processes (0x5 = SystemProcessInformation):
Figure 21 - Retrieve an array of structures for all running processes
The targeted processes are killed using the TerminateProcess API, as shown in Figure 22.
Figure 22 - Malware stops a list of processes
Encryption of Files
When it comes to file encryption, DragonForce also demonstrates operational capabilities and versatility through its command-line parameters, enabling its operators to control the ransomware’s behavior during deployment. This parameterization enables targeted attacks and strategic execution – ranging from encrypting specific folders rather than entire systems (“-p”) to operational security features – to avoid detection of specific mutex names associated with the ransomware (“-nomutex”). The entire process is detailed below.
Figure 23 - Public RSA key is imported
It creates the ransom note called “readme.txt” in every traversed directory:
Figure 24 - Ransom note
The binary embedded a ChaCha8 key (32 bytes) and nonce (8 bytes) that are used to decrypt the ransom note content. These values are shown below:
Figure 25 - ChaCha8 key and nonce are embedded in the malware
The implementation of the ChaCha8 algorithm is presented in Figure 26.
Figure 26 - ChaCha8 algorithm
The malware generates 32 random bytes and then 8 random bytes representing the ChaCha8 key and nonce, respectively. Every file will be encrypted with a different key and nonce.
Figure 27 - Random key and nonce are generated
The public RSA key is used to encrypt the key and nonce, along with the filename. The encrypted data will be stored in the encrypted file.
Figure 28 - The key, nonce, and filename are encrypted using RSA
It’s not very common, but the initial filename is modified as well (Figure 29). The extension of the encrypted files is changed to “dragonforce_encrypted”.
Figure 29 - Initial filename is changed
The full list of targeted extensions is presented in the Appendix.
DragonForce creates a registry key called “.dragonforce_encrypted” under HKEY_CLASSES_ROOT using RegCreateKeyExW:
Figure 30 - Create a registry key corresponding to the ransomware’s extension
An .ico file called “icon.ico” is created in the Public directory. This file is set in the DefaultIcon sub-registry key:
Figure 31 - Encrypted files have a custom icon
Depending on the file size and if the file’s extension belongs to the targeted list, the following cases could occur:
- File size < 3MB: the entire file is encrypted and 0x24 is added to the encrypted file’s footer
- File size > 3MB and the extension doesn’t appear in the target list: only the first 3MB are encrypted (0x26 in the footer). In the case of targeted extensions, the entire file is encrypted
- Large .iso files are encrypted alternatively: approximately 21% of the file is encrypted with 3 chunks of file size/100*7 bytes. 0x25 is added to the footer
Running with the “-p” parameter
In this case, only the folder passed as a parameter is encrypted by the ransomware.
Running with the “-m” parameter
The following sub-cases exist:
- “-m all”
- “-m local”
- “-m net”
- “-m backups”
Network shares can be targeted using the “all” or “net” parameter (see Figure 32). If “local” is specified, then only the local drives are encrypted.
Figure 32 - Targeting available network shares
Running with the “-log” parameter
The log file passed as a parameter is created, however, it remains empty and the “log.log” file is still populated as before.
Running with the “-nomutex” parameter
In this case, the process doesn’t create the named mutex previously mentioned.
Through the Eyes of Hybrid Analysis
Even a cursory glance at the Hybrid Analysis report offers analysts and researchers a wide range of telltale signs which reveal that the DragonForce sample exhibits ransomware behavior. For example, it highlights that DragonForce implements ChaCha symmetric encryption, reveals that it targets local drives and network shares, and demonstrates its ability to stop targeted processes. The additional in-depth research is meant to peek behind the behavior-based evidence and dive into the inner workings of the DragonForce ransomware to reveal what makes it interesting and understand how defenders can build better defense strategies.
Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
Indicators of Compromise
SHA256
File created
C:\Users\Public\log.log
C:\Users\Public\wallpaper_white.png
C:\Users\Public\icon.ico
readme.txt
Registry key
HKCR\.dragonforce_encrypted
Mutex
hsfjuukjzloqu28oajh727190
Appendix
Targeted processes
MsMpEng.exe,sql.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,isqlplussvc.exe,xfssvccon.exe,mydesktopservice.exe,ocautoupds.exe,encsvc.exe,firefox.exe,tbirdconfig.exe,mydesktopqos.exe,ocomm.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,thebat.exe,thunderbird.exe,visio.exe,winword.exe,wordpad.exe,notepad.exe,calc.exe,wuauclt.exe,onedrive.exe,SQLAGENT.exe,sqlservr.exe,SQLWriter.exe
Targeted extensions
4dd,4dl,accdb,accdc,accde,accdr,accdt,accft,adb,ade,adf,adp,arc,ora,alf,ask,btr,bdf,cat,cdb,ckp,cma,cpd,dacpac,dad,dadiagrams,daschema,db,db-shm,db-wal,db3,dbc,dbf,dbs,dbt,dbv,dbx,dcb,dct,dcx,ddl,dlis,dp1,dqy,dsk,dsn,dtsx,dxl,eco,ecx,edb,epim,exb,fcd,fdb,fic,fmp,fmp12,fmpsl,fol,fp3,fp4,fp5,fp7,fpt,frm,gdb,grdb,gwi,hdb,his,ib,idb,ihx,itdb,itw,jet,jtx,kdb,kexi,kexic,kexis,lgc,lwx,maf,maq,mar,mas,mav,mdb,mdf,mpd,mrg,mud,mwb,myd,ndf,nnt,nrmlib,ns2,ns3,ns4,nsf,nv,nv2,nwdb,nyf,odb,oqy,orx,owc,p96,p97,pan,pdb,pdm,pnz,qry,qvd,rbf,rctd,rod,rodx,rpd,rsd,sas7bdat,sbf,scx,sdb,sdc,sdf,sis,spq,sql,sqlite,sqlite3,sqlitedb,te,temx,tmd,tps,trc,trm,udb,udl,usr,v12,vis,vpd,vvv,wdb,wmdb,wrk,xdb,xld,xmlff,abcddb,abs,abx,accdw,adn,db2,fm5,hjt,icg,icr,kdb,lut,maw,mdn,mdt
.png)
Figure 33 - DragonForce Ransom note
