DragonForce Ransomware Evolves with BYOVD Techniques
The Acronis Threat Research Unit has identified a new DragonForce ransomware variant showcasing advanced technical sophistication and organizational structure. The updated malware leverages Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and terminate protected processes, addressing previous encryption flaws. Originally emerging in 2023, DragonForce rebranded itself as a 'cartel' in early 2025, attracting affiliates with customizable encryptors and infrastructure access. The group has become more aggressive, increasing global victim postings and expanding collaborations, notably in a joint attack with the Scattered Spider intrusion group. Acronis analysts observed that the latest DragonForce binaries are significantly larger, suggesting a change in the development toolchain. The new builds, compiled using MinGW, consolidate the group’s multi-platform ransomware codebase. Despite its updated framework, the codebase remains rooted in Conti’s leaked source, reusing functions like InitializeApiModule and DisableHooks. The ransomware’s configuration file allows affiliates to define custom extensions, blacklists, and process kill lists, including Microsoft Defender and SQL services. Most notably, the use_sys flag activates BYOVD process termination, using Truesight and BadRentdrv2 drivers to forcibly kill antivirus and EDR software. Acronis TRU identified links between DragonForce and a new ransomware family known as Devman, whose samples were built using DragonForce’s builder and infrastructure.
11-11Read more →