dagonlocker

Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of the MountLocker and Quantum ransomware lines. The group employs strong encryption using ChaCha20 protected by RSA-2048 and appends the .dagoned extension to encrypted files. It provides operators flexibility through command-line options to control encryption behavior, such as skipping logs, deletions, or process termination. Notably, Dagon Locker is frequently distributed via phishing campaigns and as part of Brodin-based initial access chains. It operates under a Ransomware-as-a-Service (RaaS) model, engaging affiliates to launch customized campaigns—particularly targeting organizations in South Korea.