Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems
Threats

Researchers Breakdown DragonForce Ransomware Along with Decryptor for ESXi and Windows Systems

DragonForce ransomware has completed its shift from activity observed on underground forums to a full Ransomware-as-a-Service (RaaS) model. It now targets both Windows and VMware ESXi environments....

Emy Elsamnoudy
Emy Elsamnoudy
January 14, 2026 3 Min Read
29 0

DragonForce ransomware has completed its shift from activity observed on underground forums to a full Ransomware-as-a-Service (RaaS) model. It now targets both Windows and VMware ESXi environments.

First seen in December 2023 on BreachForums, the group advertises stolen data and uses a dark web blog to pressure victims. The early leak post revealed the new cartel-style operation.

The group built its payload from leaked LockBit 3.0 and Conti code, but tuned it for flexible, high-speed encryption across local disks and network shares.

Operators usually gain access through exposed remote desktop servers, then use tools like Cobalt Strike and SystemBC to move laterally before launching the ransomware. Impact ranges from encrypted file servers and virtual machines to stolen data prepared for public release.

Post uploaded to BreachForums (Source - Medium)
Post uploaded to BreachForums (Source – Medium)

S2W analysts identified a custom DragonForce build that hides nearly all strings with a home-grown deobfuscation routine and relies on ChaCha8 plus RSA-4096 for file encryption.

Their research shows that command-line flags let affiliates choose local, network-only, or mixed modes, and even tune partial encryption ratios to speed up attacks. While its DLS shows the internal workflow from configuration decryption to process killing and file scrambling.

DragonForce’s DLS as of December 2023 (Source - Medium)
DragonForce’s DLS as of December 2023 (Source – Medium)

During wider threat hunting, S2W researchers obtained a working decryptor for both Windows and ESXi systems, giving some victims a path to recovery without paying ransom.

The Windows tool looks for files with the .RNP extension, while the ESXi version checks for .RNP_esxi files that also end with a specific eight-byte magic value called build_key. Besides this it maps the full decryption chain from RSA key loading to metadata parsing and file restoration.

DragonForce — we invite you to join our family (Source - Medium)
DragonForce — we invite you to join our family (Source – Medium)

This complete technical breakdown gives defenders insight into DragonForce tools and recovery options.

Encryption and Decryption Workflow

On execution, the ransomware first decrypts its internal configuration using ChaCha8, then reads options such as encryption mode and target path.

Post announcing the migration of the RansomHub infrastructure to DragonForce (Source - Medium)
Post announcing the migration of the RansomHub infrastructure to DragonForce (Source – Medium)

A common command seen by S2W analysts is dragonforce.exe -m net -p C: -j 8, which tells the malware to hit network targets under that path with multiple worker threads.

DragonForce Ransomware Execution Flow (Source - Medium)
DragonForce Ransomware Execution Flow (Source – Medium)

As it scans local and remote paths, DragonForce skips core system areas, then encrypts chosen files. For big virtual disk images it encrypts only chunks instead of the whole file to save time.

At the end of each file it writes 534 bytes of metadata with an RSA-encrypted ChaCha8 key and nonce plus flags that store mode, ratio, and original size.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachMalwareransomwareThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

North Korean Hackers use Code Abuse Tactics for ‘Contagious Interview’ Campaign

Next Post

New One-Click Microsoft Copilot Vulnerability Grants Attackers Undetected Access to Sensitive Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us