SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dragonforce (Back to overview)

DragonForce

VTCollection    

According to Idan Malihi, this ransomware is based on the LockBit builder from 2022, utilizing similar configurations and attack methods. The ransomware’s icon and wallpaper are embedded in the binary’s overlay, compressed with Zlib, and loaded dynamically during execution.

References
2026-02-03LevelBlueEvgeny Ananin, Mark Tsipershtein
The Godfather of Ransomware? Inside DragonForce’s Cartel Ambitions
DragonForce
2026-01-14S2W Inc.Byeongyeol An
Detailed Analysis of DragonForce Ransomware
DragonForce
2025-05-06MandiantMandiant
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
BlackCat DragonForce RansomHub
2025-05-06MandiantMandiant
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
BlackCat DragonForce RansomHub
2025-03-11Idan MalihiIdan Malihi, Yaniv Azran
DragonForce Ransomware: Unveiling Its Tactics and Impact
DragonForce
Yara Rules
[TLP:WHITE] win_dragonforce_auto (20260504 | Detects win.dragonforce.)
rule win_dragonforce_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dragonforce."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dragonforce"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645e67c c645e75a c645e87c c645e92a }
            // n = 4, score = 100
            //   c645e67c             | mov                 byte ptr [ebp - 0x1a], 0x7c
            //   c645e75a             | mov                 byte ptr [ebp - 0x19], 0x5a
            //   c645e87c             | mov                 byte ptr [ebp - 0x18], 0x7c
            //   c645e92a             | mov                 byte ptr [ebp - 0x17], 0x2a

        $sequence_1 = { 7459 8b8d8cf7ffff 8b85b8f7ffff 83c002 }
            // n = 4, score = 100
            //   7459                 | je                  0x5b
            //   8b8d8cf7ffff         | mov                 ecx, dword ptr [ebp - 0x874]
            //   8b85b8f7ffff         | mov                 eax, dword ptr [ebp - 0x848]
            //   83c002               | add                 eax, 2

        $sequence_2 = { 83c404 85c9 0f8484020000 8d4123 }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   85c9                 | test                ecx, ecx
            //   0f8484020000         | je                  0x28a
            //   8d4123               | lea                 eax, [ecx + 0x23]

        $sequence_3 = { 85d2 0f8463000000 8b8c24bc000000 b8c94216b2 }
            // n = 4, score = 100
            //   85d2                 | test                edx, edx
            //   0f8463000000         | je                  0x69
            //   8b8c24bc000000       | mov                 ecx, dword ptr [esp + 0xbc]
            //   b8c94216b2           | mov                 eax, 0xb21642c9

        $sequence_4 = { 8d8d98faffff c68598faffff00 c68599faffff25 c6859afaffff75 }
            // n = 4, score = 100
            //   8d8d98faffff         | lea                 ecx, [ebp - 0x568]
            //   c68598faffff00       | mov                 byte ptr [ebp - 0x568], 0
            //   c68599faffff25       | mov                 byte ptr [ebp - 0x567], 0x25
            //   c6859afaffff75       | mov                 byte ptr [ebp - 0x566], 0x75

        $sequence_5 = { 8d8424c0050000 8bcc 50 e8???????? }
            // n = 4, score = 100
            //   8d8424c0050000       | lea                 eax, [esp + 0x5c0]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 8a4435dd 0fb6c0 6bc81a b81a000000 }
            // n = 4, score = 100
            //   8a4435dd             | mov                 al, byte ptr [ebp + esi - 0x23]
            //   0fb6c0               | movzx               eax, al
            //   6bc81a               | imul                ecx, eax, 0x1a
            //   b81a000000           | mov                 eax, 0x1a

        $sequence_7 = { c645bb27 c645bc6d c645bd32 c645be6d }
            // n = 4, score = 100
            //   c645bb27             | mov                 byte ptr [ebp - 0x45], 0x27
            //   c645bc6d             | mov                 byte ptr [ebp - 0x44], 0x6d
            //   c645bd32             | mov                 byte ptr [ebp - 0x43], 0x32
            //   c645be6d             | mov                 byte ptr [ebp - 0x42], 0x6d

    condition:
        7 of them and filesize < 879616
}
Download all Yara Rules