VTA-004544 – Why DragonForce Ransomware Is More Dangerous Than Ever With Scattered Spider Support

Recent analysis by the Acronis Threat Research Unit reveals that the DragonForce ransomware group has evolved into a full-scale “ransomware cartel,” leveraging a white-label RaaS model that allows affiliates to deploy customizable payloads across Windows, Linux and ESXi environments. Instead of relying on a single operator, the cartel now functions as a shared ecosystem where affiliates can use DragonForce’s infrastructure, encryption modules and extortion platform while branding their own variants.

What sets this campaign apart is DragonForce’s collaboration with Scattered Spider one of the most notorious social-engineering-driven intrusion groups. Scattered Spider specializes in credential theft through phishing, vishing and SIM-swapping, followed by MFA bypass techniques such as MFA fatigue or enrolling attacker-controlled devices. Once inside, they deploy remote management tools (AnyDesk, TeamViewer, Splashtop) to maintain persistent access and begin extending their foothold across the network.

In the latest wave of activity, Scattered Spider has incorporated AWS Systems Manager Inventory as part of its reconnaissance and lateral movement strategy. The group leverages SSM Inventory to enumerate cloud assets, discover additional targets, and map out systems that may contain sensitive data or administrative privileges. After collecting this information, they use extract, transform, load (ETL) techniques to aggregate host data, credentials and system metadata into a centralized repository. This dataset is then exfiltrated to attacker-controlled cloud storage  typically MEGA or Amazon S3 buckets making detection harder because the traffic appears similar to legitimate cloud activity.

With reconnaissance and data theft completed, Scattered Spider hands off to DragonForce, which deploys its ransomware payload. The group increasingly uses Bring Your Own Vulnerable Driver (BYOVD) techniques, loading vulnerable drivers to disable endpoint security before encryption begins. The ransomware payload is fully configurable, enabling affiliates to specify file extensions, choose encryption behavior and target or skip specific services. Combined with cloud-assisted reconnaissance and social-engineering-based initial access, this multi-stage attack chain allows the DragonForce cartel to execute high-impact, highly orchestrated ransomware operations across hybrid cloud and on-premises environments.

Severity:

Medium

Attack Surface:
Cloud Service, Endpoint, Infrastructure, Server OS

Tactics:
Collection, Credential Access, Defense Evasion, Discovery, Exfiltration, Impact, Initial Access

Techniques:
T1078 – Valid Accounts
T1098 – Account Manipulation
T1069 – Permission Group Discovery
T1082 – System Information Discovery
T1217 – Browser Information Discovery
T1114 – Email/Communication Collection
T1041 – Exfiltration Over C2 Channel
T1486 – Data Encrypted for Impact
T1562 – Disable Security Tools
T1021 – Remote Services

References:
1. https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/6930f774fc0206d16721c22b

SuperPRO’s Threat Countermeasures Procedures:
1.Enable AWS CloudTrail + GuardDuty for SSM Inventory activity monitoring.
2.Disable unused AWS Systems Manager permissions or enforce least privilege IAM roles.
3.Apply Windows 10/11 and Server 2019/2022 patches for BYOVD-related driver exploitation.
4.Block installation of remote access tools (TeamViewer, AnyDesk, Splashtop) using application allow-listing.
5.Detect and block vulnerable driver loading via endpoint protection targeting known BYOVD drivers like truesight.sys and rentdrv2.sys.
6.Implement MFA-resistant authentication such as FIDO2 hardware keys to prevent SIM-swapping & MFA fatigue.
7.Segment ESXi hosts in separate VLANs and enable ESXi Lockdown Mode.

Contributed by: Thivya