EXECUTIVE SUMMARY
Dragon RaaS is a ransomware group that positions itself between activism and financial crime. It operates under various names and originates from a larger cybercrime network. While it presents itself as a structured ransomware service, its attacks often involve website defacement and opportunistic breaches rather than full-scale extortion. The group primarily targets smaller entities with weak security, gaining access through misconfigured systems, brute-force attempts, and stolen credentials. Its activities are most prominent in several regions, and its tactics are promoted through online channels associated with the larger cybercrime network. The group recently announced the launch of its ransomware platform, highlighting features such as an easy-to-use interface, strong encryption, and a customizable builder for its payloads.
The ransomware relies on various techniques to gain initial access, including exploiting software flaws, credential attacks, and weak system settings. The group frequently abuses vulnerabilities in website management platforms and web servers, deploying malicious scripts that provide ongoing access and encryption capabilities. It also takes advantage of exposed hosting panels to target multiple sites simultaneously, allowing for widespread impact. The ransomware includes both a Windows-based encryptor and a web-based encryption tool, both of which are built on earlier ransomware strains from the same cybercrime network. The web-based variant enables attackers to encrypt files and display ransom demands directly on compromised sites, while the Windows version is a repackaged version of an older encryptor with minor modifications to its branding and functionality.
The Windows variant functions by scanning systems for files to encrypt, targeting a range of document and media formats while excluding key system directories. It uses encryption techniques that secure files with unique keys, which are then locked using an attacker-controlled key. Despite efforts to rebrand, traces of the previous ransomware operation remain within the code, including references to older ransom demands and communication channels. Payment demands and victim communications are handled through previously established methods, linking this ransomware closely to earlier campaigns. The similarities between the two versions indicate that the group is repurposing existing tools rather than creating new threats, reinforcing its focus on accessibility and rapid deployment rather than technical advancement.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Initial Access | T1078 | Valid Accounts |
| T1190 | Exploit Public-Facing Application | |
| T1133 | External Remote Services | |
| Execution | T1059 | Command and Scripting Interpreter |
| T1204 | User Execution | |
| Persistence | T1505 | Server Software Component |
| T1078 | Valid Accounts | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1036 | Masquerading |
| T1140 | Deobfuscate or Decode Files | |
| Credential Access | T1110 | Brute Force |
| Discovery | T1083 | File and Directory Discovery |
| Lateral Movement | T1021 | Remote Services |
| Impact | T1486 | Data Encrypted for Impact |
| T1491 | Defacement |
REFERENCES:
The following reports contain further technical details: