DragonForce

DragonForce is a financially motivated ransomware-as-a-service (RaaS) operation, later described as a ransomware “cartel,” observed since August 2023. It conducts global double-extortion attacks, combining data exfiltration with encryption and threatening public disclosure via its leak site, DragonBlog. Reporting describes DragonForce as a rapidly expanding operator with more than 400 victim organizations worldwide across more than 30 countries, with the United States as its primary target. Sectors directly mentioned in the reporting include manufacturing, business services, technology, construction, healthcare, finance, retail, IT services and consulting, architecture and planning, law practice, real estate, machinery manufacturing, software development, and transportation. Two Belgian victims in construction and business services were specifically noted. DragonForce supports attacks against Windows, ESXi, Linux, BSD, and NAS systems and provides affiliates with centralized infrastructure including management panels, file servers, negotiation/client panels, leak-site functionality, and automated payment handling. It advertises configurable encryption modes and operational features such as delayed execution, multithreading, background execution, and dry-run testing. Reported tradecraft includes obtaining access through exposed services, credential compromise, and an integrated initial access broker platform called Suppliers; likely NTLM- and Kerberos-based credential abuse in Active Directory environments; termination of security processes; and deletion of backups and shadow copies. In one documented campaign, attackers exploited SimpleHelp vulnerabilities CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 via a managed service provider to conduct reconnaissance and deploy DragonForce ransomware to downstream customers. Reporting also notes observed sequences such as EDR-killer-to-ransomware deployment. DragonForce evolved from a more traditional RaaS model into a broader cartel structure. In March 2025 it introduced a model allowing affiliates to create their own brands while using DragonForce infrastructure and tools. Its affiliate program has been described as aggressively recruiting operators from other ransomware groups and lowering barriers over time, including later replacing stricter vetting and deposit requirements with a low registration fee. Reporting describes an 80/20 revenue split favoring affiliates, dual-payment ransom handling, extortion-support services, and a Suppliers marketplace for brokering access. DragonForce also emphasized public relations and coalition branding, including public claims of cooperation with LockBit and Qilin, though one report found no verified evidence of shared infrastructure or joint operations. The group has been linked in reporting to major attacks on UK retailers including Marks & Spencer, Co-op, and Harrods, and it claimed responsibility for attacks affecting Belk and other retailers. Multiple reports state that DragonForce malware was used in the Marks & Spencer intrusion under a ransomware-for-hire arrangement, and that DragonForce publicly acknowledged involvement in attacks linked to Scattered Spider. Sophos reporting states that DragonForce allows multiple affiliates or operators to use its infrastructure and leak site, including under their own names, which complicates attribution of individual incidents. DragonForce has also been reported engaging in criminal-on-criminal activity. It was described as defacing rival groups’ websites and leaking internal communications from BlackLock and Mamona in 2025, and separate reporting mentions DragonForce as a possible actor in the compromise of LockBit’s affiliate panel. Additional reporting states DragonForce absorbed or displaced rival groups including BlackLock and RansomHub and sought to consolidate affiliates under a cartel-like structure. There is no evidence in the provided content that DragonForce is state-sponsored or ideologically motivated. Multiple reports characterize it as financially motivated. Its rules explicitly prohibit attacks on Russia and other CIS targets, and several sources assess this as consistent with likely origin in the Russian-speaking cybercriminal ecosystem or Russia/CIS region. Known alias directly provided in the content: dragonforce.