DragonForce is the latest ransomware brand to move from noisy forum posts to full RaaS operations, targeting both Windows and VMware ESXi environments. <\/p>\n
First seen in December 2023 on BreachForums, the group advertises stolen data and uses a dark web blog to pressure victims. The early leak post revealed the new cartel-style operation.<\/p>\n
The group built its payload from leaked LockBit<\/a> 3.0 and Conti code, but tuned it for flexible, high-speed encryption across local disks and network shares. <\/p>\n Operators usually gain access through exposed remote desktop servers, then use tools like Cobalt Strike<\/a> and SystemBC to move laterally before launching the ransomware. Impact ranges from encrypted file servers and virtual machines to stolen data prepared for public release.<\/p>\n S2W analysts identified<\/a> a custom DragonForce build that hides nearly all strings with a home-grown deobfuscation routine and relies on ChaCha8 plus RSA-4096 for file encryption. <\/p>\n Their research shows that command-line flags let affiliates choose local, network-only, or mixed modes, and even tune partial encryption ratios to speed up attacks. While its DLS shows the internal workflow from configuration decryption to process killing and file scrambling.<\/p>\n During wider threat hunting, S2W researchers obtained a working decryptor for both Windows and ESXi systems, giving some victims a path to recovery without paying ransom. <\/p>\n The Windows tool looks for files with the .RNP extension, while the ESXi version checks for .RNP_esxi files that also end with a specific eight-byte magic value called build_key. Besides this it maps the full decryption chain from RSA key loading to metadata parsing and file restoration.<\/p>\n This complete technical breakdown gives defenders insight into DragonForce tools and recovery options.<\/p>\n On execution, the ransomware<\/a> first decrypts its internal configuration using ChaCha8, then reads options such as encryption mode and target path. <\/p>\n A common command seen by S2W analysts is As it scans local and remote paths, DragonForce<\/a> skips core system areas, then encrypts chosen files. For big virtual disk images it encrypts only chunks instead of the whole file to save time. <\/p>\n At the end of each file it writes 534 bytes of metadata with an RSA-encrypted ChaCha8 key and nonce plus flags that store mode, ratio, and original size.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Post](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHVxOvhxsTCot2z47b06gl_zXvdmVtX7oTy-hhAAOfgl0gkePvvbwNR7lHYB37rnBaOSjMgj-TmXqEBAdHGy1MG2LMHmOyGvNylPBEhu954B8fh94x8RSezOE7Hyhf_QTmXPQ7mTcDxU7Xv_xx-We3RUr4RUukQc7NmNYZxfWLERvBx7UmlMvpl9idw4Y\/s16000\/Post%2520uploaded%2520to%2520BreachForums%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
![\"DragonForce\u2019s](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEia1OcWjUOMAhy_VqQ0iZoeXG7fNuF2S3qzP6SgvX_wflvTSYnxhUuLvo2SK0J_n8NwrXgqoN1YK0X40QKpyW-PhPCVvyUPTByEkTjeEm8BGn_paTor6q_w3XPud3CgpFwNbjFiSLxj0GpZwZl73s46ha5aOSs11UkljRwLwzdIESrWvz0yKzRQrUv3IJ4\/s16000\/DragonForce%25E2%2580%2599s%2520DLS%2520as%2520of%2520December%25202023%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
![\"DragonForce](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjJJwcobH-lztUz6qNFTJR72rt9YNJtFmVaE3HnrJ4wALDO4FRk7PhRkbW9mzl-dWrfHFJHEfE-7rP2NPyIe8mGfs5qPYk6gzNGltcmHycsGxzGAy3wtBGQdlYcxf3jHHaJQsWe4aIhtMTdiHJ-ypbN0hwqNgVpaoGuWzQ_RkxEq58xGEva_M3gIRyK_0w\/s16000\/DragonForce%2520%25E2%2580%2594%2520we%2520invite%2520you%2520to%2520join%2520our%2520family%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
Encryption and Decryption Workflow<\/strong><\/h2>\n
![\"Post](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFJKTMojE9CyH13rqvOi6Hp-Wl5ymiDpqhTGID63tHdB1EE0owAGkx98kQNCzWJcKhU8_AobbLkUuIxLMsPtdVXGtK0gh0zoDP4PoYDH-Z9TUvfK8EXD6_suXP6XeNN3T98hp0_ndKCNzWWYGOhOqzewjqJoJlNcXhZqVhIwBXd1Q5UMjqGFhuPcO15q8\/s16000\/Post%2520announcing%2520the%2520migration%2520of%2520the%2520RansomHub%2520infrastructure%2520to%2520DragonForce%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
dragonforce.exe -m net -p C:\\ -j 8<\/code>, which tells the malware to hit network targets under that path with multiple worker threads.<\/p>\n![\"DragonForce](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiGZhxegOjx1AEqz5EvFMPDSuHC3UTiF4AknepLNNxhmqg4a9RF3t4WCfsoL45YkiIcipPi_C5KkrY3OA5rGFSJaSlAgBF7SLlhjK1Vq3M0JHli_YAoGw0xxPGL_8uF1Bls212QawW90ZKp-JkD8fLCGZIPLPHNiSrhViowfXVuis-xSQJrzgJf4otmwII\/s16000\/DragonForce%2520Ransomware%2520Execution%2520Flow%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")