Dragon RaaS, a ransomware group blending hacktivism and cybercrime, has become a key player in the “Five Families” syndicate, alongside ThreatSec, GhostSec, Blackforums, and SiegedSec.
Emerging in July 2024 as an offshoot of Stormous, Dragon RaaS is known for its aggressive tactics and geopolitical motivations.
All about Dragon RaaS
Dragon RaaS originates from the Stormous group, known for targeting organizations seen as hostile to Russia since 2021. Stormous is part of the “Five Families” syndicate, involved in ransomware operations like GhostLocker and StormCry.
Dragon RaaS launched its Telegram channel in July 2024 and introduced its ransomware platform in October 2024.
The platform, according to SentinelOne, features a web-based portal, privacy-focused operations, and fast encryption. Despite its sophisticated image, Dragon RaaS often targets smaller organizations with weak security, using defacements and ransomware extortion.
Dragon RaaS gains access through vulnerability exploitation, brute-force attacks, and compromised credentials. It often targets WordPress themes and plugins, LiteSpeed HTTP servers, and cPanel instances.
The group exploits vulnerabilities like CVE-2024-3806 to CVE-2024-3809 in the Porto WP Theme and CVE-2022-0073 and CVE-2022-0074 in LiteSpeed servers. After gaining access, they deploy a PHP webshell for backdoor access and persistent ransomware.
Dragon RaaS uses a modified StormCry encryptor with AES-256 encryption. Despite claiming a new variant, its attacks are based on StormCry, with similar ransom demands and notes.
To protect against Dragon RaaS and similar threats, organizations should secure public-facing applications, enforce strong password policies, and use advanced endpoint security solutions.
Regular updates for WordPress, cPanel, and LiteSpeed are essential. Multi-factor authentication and strong passwords for management interfaces can boost security. Solutions like SentinelOne can detect and block malicious tactics used by these groups.
Indicators of Compromise
SHA1
| 111caef54a6bb02a11d8c6f923e5c8b1f2323eb3 | StormCry |
| 1b4b4e910bfd31f5f3f2f3a269bf2c994978b78a | Dragon RaaS / Dragon Team (py) |
| 2a720281cd869c1aaaca430a96cf980f623e0f76 | dragon.php (PHP Webshell) |
| 3afd36e7e837d7216bdb48e466f8dcd5f2b169b6 | StormCry (py) |
| aa62afd6a48d3c42ed66d4f5b9189be847ec055b | stormous.php (PHP Webshell) |
Telegram IDs
@StormousBot
@DragonRansom
Network (Domains)
jso-tools.z-x.my[.]id JSO Injection
BTC Addresses
15dr6tJzJ2gXGJiYCtbr82yphEqhmaB8Mk
15W7LH9m4E1NaSCDCx2ovtfpugRwDztXj5
16fbxX2mrxUjbhkk2DamrzTiGN6JXhQsAu
17eiCc9BrhaqHLzvrqDNUVmVy4FUSoCT6f
1ADPdFTmjv4VSdHijjSAsDUKpBu4UuvaN1
1CA54B1kFjdXmFKNKv3W3KDRRGcW6r1pXP
1DxKVoke5Pb3UBfgUyJb4SHDNv95bCzAD8
1DzX3w6Fb8yd78UMnWxfjnPQ14jWpEtVSA
1G22LYkNAseuLRYxD2BVM8WYorc8w6cj8b
1G8jFCESzwWztfBJP7Ev23R4t9SFkPkZ5S
Leave A Comment