In 2024, Comparitech reported that the average extortion demand for ransomware attacks exceeded $5.2 million in the first half of the year. This figure is based on 56 documented ransom demands from January to June 2024, with the highest being a [1]$100 million demand following an attack on India’s Regional Cancer Center in April 2024.
The cybersecurity landscape has seen a significant surge in ransomware payments, with the average payment increasing by over 500%. According to Sophos' "State of Ransomware 2024" report, the average ransom payment rose to $2 million in the past year, up from $400,000 in 2023. Additionally, Marsh highlighted that in 2023, the median ransom demand jumped to [2]$20 million from $1.4 million in 2022, and the average payment soared to $6.5 million from $335,000 in 2022.
Recently, new ransomware groups such as RA World and DragonForce have emerged, significantly increasing ransomware attacks across the healthcare, manufacturing, technology, and finance sectors. These groups are making headlines with their targeted attacks on organizations. Let’s explore RA World and DragonForce and discuss recommendations on how organizations can protect themselves from these ransomware threats.
[1] Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - Infosecurity Magazine (infosecurity-magazine.com)
[2] Ransomware: A persistent challenge in cyber insurance claims | Marsh
RA World ransomware, previously known as the RA Group, has been a significant threat to organizations globally since its first appearance in April 2023. Although the threat actor targets a wide range of organizations, a significant number of attacks have occurred in the U.S, with additional incidents reported in Germany, India, and Taiwan. The group primarily targets the healthcare and financial sectors.
RA World leverages the leaked Babuk ransomware source code from 2021 as a foundation for its operations. This strategy allows RA World to maintain agility and expedite its attacks, while also developing distinctive methods tailored to its targets. Trend Micro noted in their analysis of the threat actor that despite utilizing Babuk as its core payload, RA World continues to refine its attack techniques and operational tactics over time.
Image 1: Attack Chain
Source: Trend Micro
RA World begins its attack by compromising domain controllers, gaining initial access to the target network. The attackers deploy malicious components into the SYSVOL share path, exploiting the Group Policy Object (GPO) infrastructure. This strategic placement allows the ransomware to execute during routine Group Policy processing, potentially affecting multiple machines within the domain.
Once inside the network, the ransomware uses a PowerShell script to execute Stage1.exe, which plays a crucial role in identifying and validating domain controllers. Stage1.exe then proceeds to deploy Stage2.exe across the network, leveraging the compromised Group Policy settings for lateral movement.
To ensure persistence within the compromised system, RA World creates a new service and manipulates the Boot Configuration Data (BCD) to enable Safe Mode with Networking. These actions, coupled with registry modifications, allow the ransomware to evade detection and maintain a foothold in the victim's environment.
The final stage of the attack involves deploying Stage3.exe, the ransomware payload, which encrypts data on compromised machines. RA World's ransom note uses extortion tactics, listing recent victims and pressuring others to comply with ransom demands.
In addition to data encryption, RA World operators deploy scripts to disable antivirus measures and manipulate system settings. These actions include wiping specific directories and removing Safe Mode options, culminating in a forced system reboot to ensure the ransomware's effectiveness.
DragonForce, also a relatively new ransomware strain, has gained significant attention due to its aggressive tactics and high-profile attacks targeting various organizations globally. The group first surfaced in November 2023, establishing its presence with notable attacks on diverse targets including the Ohio Lottery, Yakult Australia, and Coca-Cola Singapore.
One of the most significant incidents attributed to DragonForce involved the attack on the Aussizz Group, a leading educational and migration consultancy. The ransomware gang claimed responsibility for exfiltrating and encrypting nearly 300GB of sensitive data, showcasing their ability to target and impact large organizations with significant data stores.
A hacktivist group named DragonForce, operating out of Malaysia, executed several campaigns against government agencies and organizations in the Middle East and Asia during 2021 and 2022. In 2022, the group declared plans to release ransomware. However, with limited available information, it remains unclear if the recently identified DragonForce ransomware is linked to this hacktivist group.
In a unique incident involving the government of Palau in March 2024, DragonForce and another ransomware group, LockBit, both claimed responsibility for locking government systems. The ransom notes provided conflicting instructions, indicative of internal discord or miscommunication among the cybercriminals. Palauan authorities, however, denied any engagement with the attackers.
Like many ransomware groups, DragonForce uses a dual extortion strategy, locking out victims from their systems through encryption and threatening to expose stolen data on the dark web unless ransom demands are met.
However, DragonForce has also distinguished itself not only through its operational ruthlessness but also through unconventional methods such as publishing audio recordings of negotiations with victims on their dark web site. This approach appears aimed at intensifying pressure on organizations to comply with ransom demands.
DragonForce typically begins its attacks through phishing emails or by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) solutions. Once it infiltrates the network, DragonForce can quickly propagate, using encryption algorithms to secure critical systems and data.
Recent reports by Cyble Research & Intelligence Labs revealed DragonForce's use of a ransomware builder leaked from the LockBit group, specifically the LockBit Black variant. In September 2022, a user on X (Twitter) posted a link to download the LockBit ransomware builder. This tool allows threat actors to tailor the ransomware payload to their specific needs.
It also comes with a "config.json" file that allows for customization of various features, such as encryption mode, filename encryption, impersonation, exclusion of certain files and folders from encryption, and exclusion based on language for CIS countries. The configuration file also includes a template for the ransom note. DragonForce appears to be leveraging existing malware infrastructure to strengthen its own capabilities and streamline operations.
LockBit Black, or LockBit 3.0, is the third iteration of the LockBit ransomware. It was launched in March 2022 and was leaked six months later by a discontented developer within the group.
In response, LockBit administrators introduced a so-called new version, named LockBit Green, which was later revealed to be a rebranded Conti encryptor.
Despite the LockBit group's infrastructure being dismantled by Operation Cronos, an international law enforcement initiative, in February 2024, the LockBit Black builder remains accessible to the public.
The discovery of DragonForce ransomware and its connection to the leaked LockBit Black ransomware builder stresses the increasing danger of using leaked malware-building tools in cyberattacks. These tools allow threat actors to easily create and deploy customized ransomware, making it easier for them to attack organizations.
In June 2024, DragonForce announced on a dark web forum that they are actively seeking new partners to join their Ransomware-as-a-Service (RaaS) operation. This initiative aims to strengthen their capabilities by recruiting specialists such as access specialists and pentesters.
In their recruitment pitch, DragonForce offers partners access to their established infrastructure and advanced tools. Partners will receive an 80% revenue and benefit from state-of-the-art technologies, as well as fully automated operational processes - enhancing efficiency and operations.
DragonForce’s operational framework includes a comprehensive control panel for partners to monitor attack progress and manage operational aspects in real-time. They facilitate automated file issuance for attacks and provide capabilities for testing scripts, ensuring partners can validate tools and techniques before deployment in actual attacks.
Ransomware threats are becoming more sophisticated and persistent, affecting organizations globally. DragonForce ransomware has gained attention for using leaked ransomware builders from LockBit and using tactics that threaten both data encryption and exposure. The group has targeted major entities like the Ohio Lottery, Yakult Australia, and the Aussizz Group, showcasing their ability to disrupt and damage large organizations.
Similarly, RA World, previously known as the RA Group, is another significant ransomware threat. They have attacked organizations in the U.S, Germany, India, and Taiwan, particularly focusing on the healthcare, insurance, and financial sectors. RA World uses Babuk's leaked source code, compromising domain controllers, and altering Group Policy settings to infiltrate networks and launch multi-stage attacks. This approach makes them difficult to detect and allows them to cause extensive damage.
The increasing threat from ransomware groups like DragonForce and RA World means that there is an urgent need for strong cybersecurity measures. Organizations must regularly back up data, keep security software updated, and educate employees about cyber threats. As ransomware tactics evolve, it is important for organizations and cyber security professionals to stay alert and use advanced security strategies to protect their data.
RA World & DragonForce:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from RA World and DragonForce:
DragonForce
RA World
DragonForce
RA World
Fast-Growing RA Ransomware Group Goes Global (darkreading.com)
RA World Ransomware: what’s the impact and who are the victims? | by BAlves | Medium
Fast-Growing RA Ransomware Group Goes Global (darkreading.com)
RA World Ransomware Exploits Group Policy infrastructure (gbhackers.com)
Threat Actor "DragonForce" Seeks New Partners (redhotcyber.com)
DragonForce Ransomware Breach Exposes Davis & Young (halcyon.ai)
How MFA Failures are Fueling a 500% Surge in Ransomware Losses (thehackernews.com)
Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO | Trend Micro (UAE)
new-dragonforce-ransomware-may1-15-12.pdf (mphasis.com)
Dark Web Profile: DragonForce Ransomware - SOCRadar® Cyber Intelligence Inc.
DragonForce Ransomware - What You Need To Know | Tripwire
LOCKBIT Black's Legacy: Unraveling The DragonForce Ransomware Connection - Cyble
Ransomware: A persistent challenge in cyber insurance claims | Marsh
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.