CERTCTIMalwareRansomware

Threat Intelligence report – 05/08

Lefebvre Fabien (CTI) Antoine Mevel (CTI)

Abstract

This report highlights recent cyber threats including a stealthy Linux backdoor (Plague), an actively exploited CrushFTP vulnerability, and ransomware trends with a focus on Dragonforce. Indicators of compromise and detection rules are provided to assist defenders.

CERT

Plague: a Linux backdoor that went undetected for a year

A backdoor was recently discovered by Nextron Systems, which went completely undetected for a year on Virus Total. The backdoor, named “Plague” by Pierre-Henri Pezier, targets PAM, the centralised authentication system for Linux applications by adding a backdoor password in the authentication mechanism. 

A YARA rule and a list of SHA256 hashes are available in the Nextron-Systems post to help detect Plague.

CVE-2025-54309 (RCE in CrushFTP)

CrushFTP is a file transfer server used in tens of thousands of public facing servers worldwide.

A vulnerability targeting versions 10 to 10.8.5 and 11 to 11.3.4_23 has been discovered in July this year and is being actively exploited by hackers to gain admin access on the server. The CVSS score for the CVE is 9.8.

According to the vendor, the usage of a DMZ CrushFTP instance mitigates the risk. A list of IOCs is given by the vendor.

Ransomware

Victims around the world (23/07 – 06/08)

This interactive world map highlights the distribution of ransomware victims. Hover over each country to reveal the list of known victims for these last two weeks

(Data from Ransomfeed)

Most targeted sectors (23/07 – 06/08)

This graph displays the distribution of ransomware victims by industry sector.

Legal & professional services remains the most targeted sector even if it is on a downward trend. It is followed by technology, construction and engineering.

(Data from Ransomfeed)

Group ranking based on activity (08/07 – 22/07)

Qilin remains as the most active ransomware group. A slow comeback from Dragonforce – which was previously known as Ransomhub – can be noticed. A detailed report on this group is available below.

RankNameNumber of victims
1qilin20
2incransom18
3beast16
3akira16
5dragonforce13
6global12
7safepay11
7lynx11
9everest10
10play8

(Data from Ransomfeed)

Focus on Dragonforce

With over 200 victims since 2023, Dragonforce is now a veteran among the ransomware groups.

In early 2025, Dragonforce joined forces with Ransomhub, which was the most popular ransomware group at the time. This fusion can be noticed when looking at the increase of activity since April.

Despite the name, the group is unrelated to the DragonForce Malaysia hacking group.

(Data from Ransomfeed)

Western companies are their primary targets, especially the US with a total of 131 victims.

(Data from Ransomfeed)

Companies in the legal and professional services sector are the most targeted by Incransom.

(Data from Ransomfeed)

The blog features a list of their victims and leaks to stolen data. It seems that the group allows their victims 8 days to pay up before leaking their data.

The ransom ranges between $100,000 and $1,500,000 depending on the financial capabilities of the company.

IOCs

SHA256

1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba
6677e07bcccdeb28e532bb030f2ff2e4e39049caf6a1a0f9cd7f50e6d829daac
154f2dfe764fd91aebbbf2c8d1c4d3f2d070ad17e0995173b3522e6cd1fd3bc4
dca4102fba483bf0060427e0d583a1f61d079bf0754db4d61ff2969cc1bc3474
80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9
f5df98b344242c5eaad1fce421c640fadd71f7f21379d2bf7309001dfeb25972

Ransom note

Good afternoon, 

As you can see you have been attacked by a ransomware program! We The DragonForce Ransomware Cartel offer you to make a deal with us. We can make a deal with you, all you need to do is contact us by following the instructions below. 
We are in no way connected to politics, we always keep our word. You have a chance to decrypt your files and avoid being published on our blog! Use this opportunity and also don't waste your time. 
The approximate date of deletion of the decryptor program, as well as publication on our blog 17/06/2025 00:00 UTC.

- # 1 Communication Process, 

	In order to contact us you need to click on the special link below, which is listed in #2. 
	After that the negotiation process begins, in which you have the opportunity to request several things from us, 
		
		1. make a test decrypt.
		2. get a list of the files stolen from you.
		
	At the conclusion of our negotiations we agree on a price, we set the price ourselves based on your income/your insurance. 
	We scrutinize your documents and are well aware of how much income your company has per year.

- # 2 Access to the meeting room, 

	To access us please download Tor Browser which is available here. (https://www.torproject.org/)
	Once you download the special anonymous browser you need to follow this link, http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
	Your unique ID: <CENSORED> - use it to enter our meeting room. 

- # 3 Additional Support Contacts, 

	Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20

- # 4 Recommendations, 

	Do not try to recover your files with third-party programs, you will only do harm.
	Do not turn off / reboot your computer.
	Be courteous in our meeting room. 
	Do not procrastinate. 

- # 5 Blog and News,

	Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
	DragonNews: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news

Extension

.dragonforce_encrypted

Detection rules

Yara

import "pe"

rule DragonForce: ransomware incransom {
    meta:
        author = "TEHTRIS - Lefebvre Fabien"
        description = "Detects IncRansom ransomware"
        sha256 = "['1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba']"
    strings:
        $deobfuscate_str = {
            8a 44 35 9d
            0f b6 c8
            8b c1
            c1 e0 04
            2b c1
            83 e8 0f
            99
            f7 fb
            8d 42 7f
            99
            f7 fb
            88 54 35 9d
            46
            83 fe 0d
            72 dc
            8b
        }
    condition:
        pe.is_pe and all of them
}