Those of us who have seen the Godfather are familiar with the concept of the “Five Families of Crime.” However, very few of us know that there is a “Five Families of Crimeware.” One of these organizations has been linked to a string of recent cybersecurity attacks leading to millions of dollars of loss per incident over the last three months. Experts note that these attacks are particularly sophisticated, befitting one of the members of the five families. This provocatively named Ransomware-as-a-Service operation is called “Dragon,” and it has a penchant for targeting critical infrastructure.
According to experts, members of Dragon are utilizing a custom-built command and control framework that has enabled the evasion of traditional network security monitoring. Historically, this is the kind of sophisticated attack that has only been observed via black hat actors backed by a nation state. It is also worth noting that members of Dragon are uncommonly patient, having remained undetected in targeted environments for an average of roughly 26 days before deploying. This means that not only does Dragon have the resources to carry out devastating attacks, but they also have the resources to wait for their (on-average) 3.4 million-dollar payouts.
As far as tactics, Dragon threatens double extortion, encrypting data and leaks unless their target is willing to pay the targeted ransom. And their targets vary: over the course of one year, they attacked more than 80 victims in the manufacturing, real estate and transportation industries. But what is perhaps most disconcerting is the fact that Dragon employs an affiliate program that offers “80% of the ransom to affiliates, along with tools for attack management and automation.” This allows affiliates (whom we might think of as street-level crooks) to create customized ransomware samples, disable security features, set encryption parameters and personalize ransom notes.
In a recent interview, the group attempted to position itself as “a revolutionary entity in the field of cybersecurity… [claiming] to pursue a mission combining ‘social justice’ and resistance to economic exploitation, targeting powerful entities while protecting the vulnerable.” However, in the same interview, the group claimed that they are “not directly politically motivated.” For this—and many other reasons—it is difficult to see how Dragon can assert themselves as Robin Hood when they are demanding ransoms in excess of three-million dollars. After all, Robin Hood only had a bow and arrows. Dragon has an entire affiliate program carrying out their ransom attacks.
