Water Tambanakua

Water Tambanakua is the threat group behind the DragonForce ransomware operation, as tracked by Trend Micro. DragonForce was first identified in August 2023 and operated as a private group until June 2024, when it advertised an affiliate program on the Russian-language RAMP forum and offered affiliates 80% of ransom payments. In March 2025, DragonForce announced a shift to a “ransomware cartel” model, encouraging affiliates to create their own brands while using DragonForce tooling. In August 2025, it reportedly launched an affiliate-facing “data analysis service” to generate tailored extortion materials, including call scripts, draft letters to management, and pseudo legal analysis/advice reports, for victims with at least $15 million in annual revenue. DragonForce uses a double-extortion model combining file encryption with data theft and threats to publish stolen data on Tor-based leak sites. Reported tradecraft includes initial access via exposed public-facing remote desktop services and social engineering; persistence via valid accounts, Registry Run Keys, new system processes, services, and scheduled tasks; and lateral movement via RDP and post-exploitation tooling such as Cobalt Strike. Reported behaviors also include deleting Shadow Copies, killing running processes, and abusing digitally signed but vulnerable drivers via BYOVD. The group has used phone-based pressure tactics, including release of a recording of an intimidation call to a purported victim in June 2024. DragonForce maintains two main ransomware variants: one based on the leaked LockBit 3.0 builder and another based on a Conti variant. The Conti-based variant reportedly uses the default extension ".dragonforce_encrypted," supports customizable extensions, generates a ChaCha8 key and IV per file using CryptGenRandom(), and supports command-line arguments including -p, -m, -log, -size, and -nomutex. Its encryption modes reportedly include FULL_ENCRYPT, PARTLY_ENCRYPT, and HEADER_ENCRYPT. The LockBit 3.0-based variant reportedly differs little from other variants built from the leaked LockBit 3.0 builder. DragonForce drops a ransom note per victim signed with a binary string translating to “DragonForce.” From 01 Oct 2024 to 30 Sep 2025, DragonForce most frequently targeted the industrial sector, including manufacturing and construction and engineering, and the most frequent victim headquarters region was North America, followed by Europe. Reported associations in the provided content include Conti, LockBit 3.0, DragonForce Malaysia, Ransombay, Ransomhub, BlackLock/Mamona, Qilin, Devman, and Scattered Spider. The content also notes reporting links to BlackLock/Mamona activity and Scattered Spider deployments of a DragonForce variant in retail. No nation-state attribution is stated in the provided content.