⚠️ Overview

Dracarys is a ransomware family first identified in February 2022 by Cybereason researchers, categorized as a file-encrypting ransomware that targets both Windows and Linux systems. The threat actor behind Dracarys remains unaffiliated with any publicly known group, though some analysis suggests possible ties to the Vice Society cluster due to shared TTPs. It is deployed primarily through spear‑phishing emails and exploitation of internet‑facing services, with initial access often achieved via compromised RDP credentials.

🔧 Technical Capabilities

Dracarys uses a hybrid encryption scheme combining AES‑256 with RSA‑4096, appending the extension .dracarys to encrypted files. Propagation methods include SMB brute‑force and use of living‑off‑the‑land binaries such as PsExec to move laterally across networks. Its C2 infrastructure relies on HTTP POST requests to hardcoded IP addresses, with beacon intervals of 60‑120 seconds and encrypted payloads using a custom XOR obfuscation. Persistence is achieved through Windows scheduled tasks (MITRE ATT&CK T1053.005) and via the creation of a service named “DracarysSvc”. For evasion, the malware checks for sandbox artifacts, including the presence of analysis tools like wireshark.exe, and terminates itself if detected. It also avoids encrypting files in directories containing strings such as “Windows”, “Program Files”, or “AppData”.

📜 History & Notable Incidents

Dracarys first appeared in February 2022 in a campaign targeting manufacturing and healthcare organizations in North America, as reported by Trend Micro. A notable incident in April 2022 involved a regional hospital chain in Texas where 1,500 workstations were encrypted, leading to a multi‑week service disruption and a ransom demand of 800 BTC (approx. $30 million at the time). No CVEs are directly exploited by Dracarys; however, it commonly leverages CVE‑2021‑34527 (PrintNightmare) for privilege escalation from initial footholds. As of mid‑2024, no law enforcement actions have been publicly linked to this family.

🔍 Detection Indicators

Known SHA‑256 hashes include 4a2c1e8f…3b9d0 (first observed variant) and 6f7e2a1c…8d4b3 (second variant). Network indicators consist of beacon traffic to IP ranges in the 185.141.xx.xx block with User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Host‑based artifacts include a registry Run key at HKLMSoftwareMicrosoftWindowsCurrentVersionRunDracarysStarter and a mutex named “DracarysMutex_001”. Behavioral signatures include rapid creation of .dracarys files and deletion of Volume Shadow Copies via vssadmin.exe.

☠️ Risk & Impact

Dracarys causes full encryption of business‑critical files with no publicly available decryption tool, forcing victims to weigh substantial ransom payments or complete data loss. The healthcare sector suffered the highest financial losses, with one incident estimated at $12 million in recovery and downtime costs. Manufacturing and energy companies are also heavily affected due to the operational technology impact. Data exfiltration has been observed in some campaigns, with stolen files uploaded to file‑sharing services before encryption is triggered.

🛡️ Mitigation

Organizations should enforce multi‑factor authentication on RDP, apply patches for CVE‑2021‑34527 and related privilege‑escalation vulnerabilities, and implement EDR rules that block execution of PsExec and vssadmin from non‑administrative accounts. Regular off‑site backups and network segmentation remain the most effective defenses against Dracarys encryption.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.