(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about ‘DragonForce ransomware group’ ?
2. How does DragonForce’s use of BYOVD compare to other ransomware groups, and what specific vulnerable drivers should defenders monitor or block?
3. How are other ransomware groups evolving their BYOVD techniques, and are there emerging vulnerable drivers being abused beyond TrueSight[.]sys and RentDrv[.]sys?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

How can emerging vulnerabilities in signed drivers, such as CVE-2025-0289, be proactively identified and mitigated to disrupt BYOVD techniques before widespread exploitation by ransomware groups like DragonForce?

TL;DR

Key Points

1. • DragonForce ransomware group aggressively leverages Bring Your Own Vulnerable Driver (BYOVD) techniques, embedding them in customized ransomware variants to evade EDR/AV and escalate privileges.
   • Action: Enforce driver integrity checks, block known vulnerable drivers, and deploy behavioral analytics to detect BYOVD activity.
2. • The group’s Ransomware-as-a-Service (RaaS) model, launched mid-2024, has rapidly expanded via affiliates, targeting high-value sectors (manufacturing, real estate, retail) across the US, UK, Australia, Malaysia, and Germany.
   • Action: Monitor for sector-specific TTPs, especially in manufacturing and retail, and prepare for double extortion campaigns.
3. • DragonForce exploits emerging vulnerabilities (e.g., CVE-2025-0289 in Paragon Partition Manager) and weaponizes drivers like TrueSight.sys and RentDrv.sys for stealthy process termination and defense evasion.
   • Action: Patch vulnerable drivers promptly and monitor for anomalous driver loads and DeviceIoControl usage.
4. • Affiliates share infrastructure and TTPs with groups like Scattered Spider (UNC3944) and former RansomHub members, complicating attribution and accelerating technique adoption.
   • Action: Map infrastructure overlaps and monitor for cross-group TTP proliferation.
5. • Defensive recommendations include strict driver policies, endpoint hardening, network segmentation, phishing awareness, and breach simulation focused on BYOVD and ransomware deployment chains.
   • Action: Implement layered defenses and validate with red team exercises simulating DragonForce TTPs.

Executive Summary

DragonForce has rapidly evolved into a major RaaS operation, distinguished by its sophisticated use of BYOVD techniques to bypass EDR and escalate privileges. The group’s modular ransomware builder allows affiliates to select vulnerable drivers (notably TrueSight.sys, RentDrv.sys) for process termination, customize payloads, and evade detection. Since mid-2023, DragonForce and its affiliates have compromised at least 82 organizations, with a surge in attacks following the 2024 launch of its affiliate program.

The group’s targeting is global, with a focus on economically significant sectors—manufacturing, real estate, transportation, healthcare, and retail—using phishing, credential theft, and lateral movement via RDP/SMB. DragonForce’s double extortion model combines data encryption with threats to leak exfiltrated data, maximizing ransom leverage.

BYOVD adoption is now mainstream among ransomware groups, raising the bar for defense evasion and complicating detection. DragonForce’s operational overlap with Scattered Spider and RansomHub affiliates enables rapid TTP evolution and infrastructure sharing. The exploitation of new driver vulnerabilities (e.g., CVE-2025-0289) is expected to accelerate, with BYOVD becoming a standard feature in commercial ransomware kits.

Defenders must prioritize driver integrity enforcement, behavioral detection of driver loading and process termination, and robust patch management. Network segmentation, immutable backups, and user training are critical to resilience. Intelligence teams should focus on mapping shared infrastructure and monitoring for emerging BYOVD exploits. The forecast anticipates further affiliate expansion, regulatory pressure for driver security, and the integration of AI/ML in both offensive and defensive BYOVD operations.

Research

Attribution

Historical Context

Bring Your Own Vulnerable Driver (BYOVD) techniques have become a prominent method for ransomware groups to evade detection and escalate privileges by exploiting legitimate but vulnerable signed device drivers. This approach allows attackers to bypass Endpoint Detection and Response (EDR) solutions by loading vulnerable drivers that can disable or circumvent security controls at the kernel level. BYOVD has evolved from a niche advanced persistent threat (APT) tactic to widespread use among financially motivated ransomware groups.

The DragonForce ransomware group, first observed in mid-2023, has quickly emerged as a significant ransomware-as-a-service (RaaS) operation. It operates two main ransomware variants: a fork of LockBit 3.0 and a customized fork of Conti V3. The Conti variant notably incorporates BYOVD techniques to terminate security processes and evade detection. DragonForce has expanded its affiliate program aggressively, targeting multiple sectors and countries globally.

Timeline

• Mid-2023: DragonForce ransomware group emerges, initially operating independently.
• August 2023 to August 2024: DragonForce compromises at least 82 victims across sectors such as manufacturing, real estate, and transportation.
• June 2024: Launch of DragonForce affiliate program, offering customizable ransomware builds with BYOVD capabilities.
• Early 2025:
  • DragonForce intensifies campaigns, including high-profile attacks on UK retail chains.
  • Public disclosure of BYOVD exploitation of the Paragon Partition Manager driver (CVE-2025-0289) by ransomware groups, though no direct public attribution to DragonForce yet.
  • RansomHub ceases operations; DragonForce affiliates reportedly take over some infrastructure.

Origin

DragonForce is a financially motivated cybercrime group operating a RaaS model. It leverages leaked ransomware source codes from LockBit and Conti, enhancing them with advanced features such as BYOVD for defense evasion. The group recruits affiliates who use DragonForce infrastructure and ransomware under a white-label model, expanding its operational reach. DragonForce is linked to affiliates formerly associated with RansomHub and has operational overlap with groups like Scattered Spider (UNC3944).

Countries Targeted

1. United States – Most affected, with over 50% of known attacks across multiple sectors.
2. United Kingdom – Targeted in high-profile retail attacks, including Marks & Spencer and Co-op Group.
3. Australia – Several attacks reported, including critical infrastructure.
4. Malaysia – Regional targeting with tailored ransomware variants.
5. Germany – Industrial and manufacturing sectors targeted.

Sectors Targeted

1. Manufacturing – Most targeted sector, with attacks focusing on operational disruption and data theft.
2. Real Estate – Significant number of attacks, often involving data exfiltration.
3. Transportation – Targeted for operational impact and ransom leverage.
4. Healthcare – Sensitive data and critical services targeted, though DragonForce claims some healthcare targets are off-limits.
5. Retail – High-profile attacks on major retail chains in the UK.

Motivation

DragonForce is financially motivated, focusing on maximizing ransom payments through double extortion tactics—encrypting data and threatening to leak stolen information. The group claims a moral code avoiding certain healthcare targets, but this is unverified. Geopolitical factors influence targeting, with a focus on economically significant countries and sectors.

Attack Types

• Initial Access: Social engineering, phishing, and use of valid credentials.
• Execution: PowerShell scripts, Cobalt Strike beacons, and custom ransomware payloads.
• Privilege Escalation: Use of BYOVD techniques, including loading vulnerable signed drivers (e.g., TrueSight.sys, RentDrv.sys) to terminate security processes.
• Persistence: Registry run keys, scheduled tasks, and Windows services.
• Defense Evasion: BYOVD to disable EDR/AV, clearing event logs, anti-analysis techniques inherited from Conti.
• Credential Access: LSASS memory dumping using Mimikatz.
• Discovery: Active Directory enumeration, network scanning.
• Lateral Movement: Remote Desktop Protocol (RDP), SMB shares.
• Impact: Data encryption, deletion of shadow copies, data exfiltration, and double extortion.

Known Aliases

• DragonForce ransomware group
• DragonForce RaaS
• DragonForce ransomware affiliates

Links to Other APT Groups

• Scattered Spider (UNC3944): Affiliate relationship and operational overlap; shared targeting of retail sectors.
• LockBit: DragonForce uses a LockBit 3.0 fork variant.
• Conti: DragonForce’s original ransomware variant is a customized Conti V3 fork with BYOVD enhancements.

Similar Threat Actor Groups

• RansomHub: Former ransomware affiliate platform; DragonForce affiliates took over after its shutdown.
• Medusa and QuadSwitcher: Other ransomware groups known to use BYOVD and EDR-killing tools like EDRKillShifter.

Breaches Involving This Threat Actor

• Marks & Spencer (M&S) breach in April 2025 linked to DragonForce affiliates deploying ransomware.
• Co-op Group cyber incident in April 2025 with suspected DragonForce involvement.
• Harrods cyberattack in May 2025, possibly related but unconfirmed.
• Multiple other attacks on manufacturing, real estate, and transportation sectors from 2023-2024.

Strategic Analysis of BYOVD Adoption Among Ransomware Groups Including DragonForce

Evolution and Adoption of BYOVD Techniques

BYOVD techniques have transitioned from specialized APT tactics to mainstream ransomware tools due to their effectiveness in bypassing modern security controls. DragonForce exemplifies this trend by embedding BYOVD capabilities in its ransomware variants, particularly the Conti fork. The group uses legitimate but vulnerable signed drivers such as TrueSight.sys and RentDrv.sys to terminate EDR and antivirus processes, enabling stealthy ransomware deployment.

The modular ransomware builder allows affiliates to select drivers for process termination, customize encryption parameters, and disable security features, reflecting a sophisticated and flexible approach to BYOVD adoption.

Broader Threat Trends and Geopolitical Implications

The widespread use of BYOVD techniques among ransomware groups reflects increasing sophistication and the professionalization of cybercrime. These techniques complicate detection and attribution, benefiting groups operating in jurisdictions with limited law enforcement cooperation.

Geopolitically, ransomware groups including DragonForce target countries with significant economic and industrial value, often focusing on sectors critical to national infrastructure and commerce. The use of BYOVD enhances their ability to conduct prolonged campaigns with reduced risk of early detection.

Impact on the Global Ransomware Ecosystem

BYOVD has raised the complexity of ransomware attacks by enabling:

• Effective evasion of EDR and antivirus solutions.
• Privilege escalation without triggering traditional alerts.
• Persistence through legitimate system components.
• Increased operational success and financial impact.

This has led to a more resilient ransomware ecosystem, challenging defenders to develop advanced detection and mitigation strategies.

High-Level Detection Guidance for BYOVD Activity

Behavioral Patterns

• Loading of known vulnerable signed drivers (e.g., TrueSight.sys, RentDrv.sys) not typically present or updated on the system.
• Use of DeviceIoControl calls with IOCTL codes associated with process termination.
• Sudden termination or disabling of security processes (EDR/AV).
• Privilege escalation attempts involving token duplication and process creation with SYSTEM privileges.
• Persistence via registry run keys, scheduled tasks, and Windows services linked to driver loading.
• Clearing of Windows event logs and shadow copies post-encryption.
• Network indicators such as Cobalt Strike beacon traffic and unusual outbound connections.

Example SigmaHQ-Style Signature (High-Level)

title: Suspicious Loading of Vulnerable Signed Driver Indicative of BYOVD Activity  
id: 12345678-90ab-cdef-1234-567890abcdef  
description: Detects loading of known vulnerable signed drivers used in BYOVD ransomware attacks to evade security controls.  
status: experimental  
author: Strategic Cybersecurity Analyst  
date: 2025/05/19  
logsource:  
  product: windows  
  service: system  
detection:  
  selection:  
    EventID: 6  # Driver loaded event in Windows  
    ImageLoaded|endswith:  
      - "TrueSight.sys"  
      - "RentDrv.sys"  
  condition: selection  
falsepositives:  
  - Legitimate driver updates or installations  
level: high  
tags:  
  - attack.defense_evasion  
  - attack.privilege_escalation  
  - ransomware  
  - byovd  

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)

Recommendations, Actions and Next Steps

1. Implement strict driver integrity enforcement policies to block the loading of known vulnerable signed drivers such as TrueSight.sys and RentDrv.sys. DragonForce leverages these drivers to bypass EDR and escalate privileges via BYOVD techniques, enabling stealthy ransomware deployment.
2. Enhance endpoint detection by deploying behavioral analytics that specifically detect BYOVD tactics. Implement Sigma rules such as "Suspicious Loading of Vulnerable Signed Driver Indicative of BYOVD Activity" and monitor for DeviceIoControl calls with IOCTL codes linked to process termination. Utilize EDR features that alert on sudden termination of security processes and privilege escalation attempts involving token duplication and SYSTEM-level process creation.
3. Maintain rigorous patch management to remediate vulnerabilities in signed drivers and system components, including addressing emerging vulnerabilities such as CVE-2025-0289 exploited by DragonForce affiliates. This reduces the attack surface for BYOVD exploitation.
4. Harden endpoint security configurations to be tamper-resistant, preventing ransomware groups from disabling or circumventing EDR solutions. Restrict administrative privileges, enforce code integrity policies, and monitor for unauthorized changes to security software.
5. Conduct regular security awareness training focused on social engineering and credential hygiene, as DragonForce frequently gains initial access through phishing and valid credential use. This reduces the likelihood of successful initial compromise.
6. Segment networks to limit lateral movement opportunities and maintain immutable, offline backups to ensure recovery from ransomware encryption and double extortion attempts, which are core impact tactics of DragonForce.
7. Use breach and attack simulation tools to validate defenses against DragonForce TTPs, particularly BYOVD exploitation and ransomware deployment chains, ensuring preparedness against evolving tactics.
8. Monitor network traffic for Cobalt Strike beacon activity and unusual outbound connections, as these are indicators of DragonForce’s execution and command and control phases.

Suggested Pivots

1. How can emerging vulnerabilities in signed drivers, such as CVE-2025-0289, be proactively identified and mitigated to disrupt BYOVD techniques before widespread exploitation by ransomware groups like DragonForce?
   Suggested Methodology: Leverage vulnerability intelligence feeds, conduct fuzz testing on signed drivers, and collaborate with software vendors for patch prioritization.

2. What specific types of shared infrastructure (e.g., command and control servers, malware builders, payment portals) exist between DragonForce affiliates and related groups like Scattered Spider and former RansomHub affiliates, and which intelligence collection methods (OSINT, HUMINT, technical telemetry) are most effective for mapping these overlaps to improve attribution and disruption?
   Suggested Methodology: Combine OSINT analysis of domain registrations and IP overlaps, HUMINT from underground forums, and telemetry from network sensors and honeypots.

3. How effective are current endpoint detection and response (EDR) solutions against BYOVD-enabled ransomware attacks, and what advanced behavioral analytics or detection methodologies can be empirically developed and validated to better identify and prevent these evasive tactics?
   Suggested Methodology: Conduct controlled red team exercises using known BYOVD samples, analyze detection gaps via threat intelligence sharing platforms, and develop Sigma rules or machine learning models for behavioral detection.

4. What geopolitical and economic factors are driving DragonForce’s targeting decisions, and how might changes in these factors influence their operational focus or the sectors and countries at risk?
   Suggested Methodology: Analyze geopolitical events, economic sanctions, and regional cybercrime law enforcement trends alongside attack patterns using geopolitical risk frameworks.

5. How can organizations in the most targeted sectors (manufacturing, real estate, transportation, healthcare, retail) implement tailored defense-in-depth strategies that specifically address DragonForce’s unique threat vectors, including social engineering and BYOVD exploitation?
   Suggested Methodology: Develop sector-specific threat models, conduct tabletop exercises simulating DragonForce TTPs, and evaluate the effectiveness of layered controls such as network segmentation, endpoint hardening, and user training.

Forecast

Short-Term Forecast (3-6 months)

1. Rapid Expansion and Diversification of DragonForce Affiliate Operations

   • DragonForce’s affiliate program, launched in mid-2024, will continue to drive a surge in ransomware attacks, particularly in the United States and United Kingdom. Affiliates are customizing ransomware builds to include BYOVD capabilities, increasing attack volume and complexity, especially in manufacturing, real estate, and retail sectors.
   • Examples:
     • Continued high-profile retail breaches similar to the Marks & Spencer and Co-op Group incidents, publicly linked to DragonForce affiliates by Group-IB.
     • Expansion of attacks into critical infrastructure sectors in Australia and Germany, leveraging BYOVD to evade detection.
   • Watch Point: Security teams should monitor for new DragonForce affiliate activity and customize detection rules to identify BYOVD driver loading and ransomware variants.

2. Widespread Adoption and Weaponization of BYOVD Techniques Using Emerging Vulnerabilities

   • The exploitation of vulnerable signed drivers, including the recently disclosed CVE-2025-0289 in Paragon Partition Manager, will become more prevalent among DragonForce affiliates and other ransomware groups. This will enhance their ability to bypass EDR and antivirus solutions, complicating detection and response.
   • Examples:
     • Increased detection of suspicious driver loads such as TrueSight.sys and RentDrv.sys in enterprise environments.
     • Emergence of new vulnerable drivers being weaponized, as observed in recent public disclosures and threat reports.
   • Watch Point: Organizations should enforce strict driver integrity policies and monitor for anomalous DeviceIoControl calls associated with process termination.

3. Intensification of Double Extortion Campaigns Targeting Manufacturing and Real Estate

   • DragonForce will escalate data exfiltration and double extortion tactics, focusing on sectors with high operational and data value. Manufacturing and real estate will remain prime targets due to their economic importance and potential ransom leverage.
   • Examples:
     • Phishing campaigns targeting credential access in these sectors to facilitate initial compromise.
     • Public leak sites operated by DragonForce affiliates publishing stolen data to pressure victims.
   • Watch Point: Incident response teams should prepare for combined ransomware and data leak incidents and strengthen phishing defenses.

4. Enhanced Defensive Focus on Behavioral Detection and Network Monitoring for BYOVD and Cobalt Strike Indicators

   • Security operations centers (SOCs) will increasingly deploy behavioral analytics and Sigma rules (e.g., for suspicious vulnerable driver loading) to detect BYOVD activity. Monitoring for Cobalt Strike beacon traffic and unusual outbound connections will be critical for early detection.
   • Examples:
     • Adoption of the SigmaHQ rule “Suspicious Loading of Vulnerable Signed Driver Indicative of BYOVD Activity” across enterprise EDR platforms.
     • Increased use of network anomaly detection to identify lateral movement and command-and-control communications.
   • Watch Point: Organizations should validate and tune detection rules to reduce false positives while improving BYOVD visibility.

5. Continued Infrastructure Sharing and Operational Overlap Among Ransomware Groups

   • Affiliates formerly associated with RansomHub and groups like Scattered Spider (UNC3944) will maintain shared infrastructure and TTPs with DragonForce, complicating attribution and enabling rapid adoption of new techniques.
   • Examples:
     • Shared command and control servers and malware builders observed in underground forums and threat intelligence.
     • Cross-use of BYOVD techniques and ransomware forks among these groups.
   • Watch Point: Intelligence teams should focus on mapping infrastructure overlaps to improve attribution and disruption efforts.

Long-Term Forecast (12-24 months)

1. BYOVD Becomes a Standardized Ransomware Defense Evasion Technique

   • BYOVD will institutionalize as a core capability across financially motivated ransomware groups, beyond DragonForce, driving a new baseline of attack sophistication. This will force security vendors and defenders to innovate detection and mitigation strategies focused on vulnerable driver exploitation.
   • Examples:
     • Commercial ransomware builders integrating BYOVD modules as standard features.
     • Development of advanced endpoint protections targeting vulnerable driver loading and IOCTL abuse.
   • Watch Point: Security vendors and enterprises should invest in driver integrity enforcement and kernel-level behavioral analytics.

2. Regulatory and Industry Mandates for Driver Integrity and Endpoint Security Hardening

   • Governments and industry bodies will introduce stricter regulations mandating driver signature enforcement, patch management, and tamper-resistant endpoint security to counter BYOVD threats, especially in critical infrastructure sectors.
   • Examples:
     • New compliance frameworks requiring driver whitelisting and enhanced EDR certification.
     • Sector-specific mandates for ransomware resilience and incident reporting.
   • Watch Point: Organizations should prepare for evolving regulatory requirements and align security programs accordingly.

3. Evolution of Ransomware-as-a-Service Models with Increased Customization and Modularity

   • RaaS operations like DragonForce will refine affiliate offerings, providing granular control over ransomware features, including BYOVD driver selection, encryption parameters, and evasion tactics, increasing attack variability and complexity.
   • Examples:
     • Dark web marketplaces offering plug-and-play BYOVD modules.
     • Affiliates specializing in niche sectors or geographies with tailored payloads.
   • Watch Point: Threat intelligence should monitor RaaS marketplaces for emerging capabilities and affiliate recruitment trends.

4. Geographic and Sectoral Shift Toward Emerging Economies and Under-Defended Targets

   • As detection improves in traditional targets, ransomware groups will pivot to emerging markets such as Southeast Asia and Latin America, focusing on manufacturing, real estate, and healthcare sectors with weaker cybersecurity postures.
   • Examples:
     • Increased ransomware activity in Southeast Asia’s manufacturing sector and Latin America’s real estate market.
     • Opportunistic targeting of smaller healthcare providers despite claimed moral codes.
   • Watch Point: Organizations in emerging economies should prioritize ransomware resilience and BYOVD-specific defenses.

5. Integration of AI and Machine Learning in Offensive BYOVD Techniques and Defensive Detection

   • Attackers may adopt AI-driven tools to automate discovery and exploitation of vulnerable drivers, while defenders will deploy machine learning models to detect subtle behavioral anomalies indicative of BYOVD activity.
   • Examples:
     • Research and proof-of-concept tools for AI-assisted vulnerability discovery and exploitation.
     • Security vendors increasingly incorporating ML-based anomaly detection for endpoint and network telemetry.
   • Watch Point: Security teams should evaluate emerging AI/ML detection capabilities and prepare for an evolving threat landscape driven by automation.

Appendix

References

1. (2024-09-25) – DragonForce Ransomware Group | Group-IB Blog
2. (2025-04-16) – DragonForce Ransomware's Campaign Intensifies in 2025 | Broadcom
3. (2025-05-06) – Defending Against UNC3944: Cybercrime Hardening Guidance | Google Cloud
4. (2024-12-02) – CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks
5. (2024-08-14) – Ransomware attackers introduce new EDR killer to their arsenal | Sophos
6. (2024-10-17) – DragonForce RaaS Operation Launches Widespread Attacks | Anvilogic
7. (2025-03-03) – CVE-2025-0289 Detail - NVD
8. (2025-03-03) – BYOVD Attacks Exploit Zero-Day in Paragon Partition Manager | Infosecurity Magazine
9. (2025-03-01) – Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks | BleepingComputer

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about ‘DragonForce ransomware group’ ?
2. How does DragonForce’s use of BYOVD compare to other ransomware groups, and what specific vulnerable drivers should defenders monitor or block?
3. How are other ransomware groups evolving their BYOVD techniques, and are there emerging vulnerable drivers being abused beyond TrueSight[.]sys and RentDrv[.]sys?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0

MITRE ATT&CK

Techniques

1. T1562.001 (Impair Defenses: Disable or Modify Tools)

   • DragonForce uses BYOVD techniques by loading vulnerable signed drivers such as TrueSight.sys and RentDrv.sys to stealthily disable EDR and antivirus processes. This is a core defense evasion and privilege escalation method unique to their ransomware variants.

2. T1070 (Indicator Removal on Host)

   • The group clears Windows event logs and deletes shadow copies after encryption to hinder detection and forensic analysis.

3. T1543.003 (Create or Modify System Process: Windows Service)

   • DragonForce establishes persistence by creating or modifying Windows services, often linked to loading vulnerable drivers or ransomware execution.

4. T1059.001 (Command and Scripting Interpreter: PowerShell)

   • PowerShell scripts are used for execution, lateral movement, and deploying ransomware payloads.

5. T1003.001 (OS Credential Dumping: LSASS Memory)

   • Credential harvesting via LSASS memory dumping using Mimikatz enables lateral movement and privilege escalation.

6. T1021.001 (Remote Services: Remote Desktop Protocol)

   • RDP is leveraged for lateral movement within victim networks.

7. T1021.002 (Remote Services: SMB/Windows Admin Shares)

   • SMB shares facilitate lateral movement and ransomware spread.

8. T1110.001 (Brute Force: Password Guessing)

   • Used for initial access and credential access.

9. T1055 (Process Injection)

   • Injecting code into legitimate processes to evade detection and maintain persistence.

10. T1071.001 (Application Layer Protocol: Web Protocols)

    • Command and control communication using web protocols, including Cobalt Strike beacons.

11. T1547 (Boot or Logon Autostart Execution)

    • Persistence via registry run keys and scheduled tasks.

12. T1486 (Data Encrypted for Impact)

    • Core ransomware activity encrypting victim data for extortion.

13. T1539 (Steal Web Session Cookie)

    • Credential access to maintain persistence and lateral movement.

Tactics

1. TA0005 (Defense Evasion)

   • BYOVD and disabling security tools are central to DragonForce's evasion.

2. TA0004 (Privilege Escalation)

   • BYOVD techniques enable escalation to SYSTEM privileges.

3. TA0001 (Initial Access)

   • Phishing, social engineering, and valid credentials are common entry points.

Procedures

1. DragonForce affiliates deliver vulnerable signed drivers (e.g., TrueSight.sys, RentDrv.sys) as part of their ransomware payload or via lateral movement tools. These drivers are loaded using legitimate Windows APIs to terminate security processes silently, bypassing EDR protections.

2. Persistence is maintained through creation of Windows services and registry run keys that reload these drivers or ransomware components on system reboot or user logon.

3. Credential harvesting is performed by dumping LSASS memory using Mimikatz, enabling lateral movement via RDP and SMB shares.

4. Execution chains often start with phishing or credential access, followed by PowerShell script execution, driver loading for defense evasion, and ransomware deployment.

5. Post-encryption, DragonForce clears event logs and deletes shadow copies to prevent recovery and forensic analysis.

Software

1. S0367 (Mimikatz)

   • Used for credential dumping.

2. Cobalt Strike (widely recognized but not officially cataloged in MITRE)

   • Used for command and control and lateral movement.

3. Vulnerable signed drivers such as TrueSight.sys and RentDrv.sys (BYOVD technique)

   • Legitimate but vulnerable drivers exploited for defense evasion and privilege escalation.

Mitigations

1. M1036 (Driver Integrity Checking)

   • Enforce strict driver signature and integrity checks to block loading of vulnerable signed drivers exploited in BYOVD attacks.

2. M1050 (Restrict Credential Access to LSASS)

   • Limit access to LSASS memory to prevent credential dumping.

3. M1047 (Disable or Remove Feature or Program)

   • Remove or disable vulnerable drivers and unnecessary services to reduce attack surface.

Groups

1. G1015 Scattered Spider (UNC3944)
   • Affiliate relationship and operational overlap with DragonForce, sharing targeting and some TTPs.