DragonForce

DragonForce is a ransomware operation active since at least August 2023 that evolved from a ransomware-as-a-service (RaaS) offering into a self-described ransomware “cartel.” It conducts double-extortion attacks, combining data exfiltration with encryption and leak-site pressure, and operates centralized criminal infrastructure including a data leak site known as DragonBlog, negotiation/admin panels, file servers, and automated payment-handling mechanisms. DragonForce supports attacks against Windows, ESXi, Linux, BSD, and NAS environments, and advertises configurable encryption modes such as full, partial, header-based, and percentage-based encryption, along with features including delayed execution, multithreading, background execution, and dry-run testing.

Reported initial access methods include exposed services, credential compromise, and an integrated initial access broker marketplace called Suppliers, which offers access types such as VPN, Citrix, RDP, and botnet access. Post-compromise behavior described in the reporting includes reconnaissance, credential abuse in Active Directory environments, termination of security processes, deletion of backups and shadow copies, data exfiltration, and ransomware deployment. DragonForce has also been observed in intrusion chains where an EDR killer preceded ransomware execution. In one documented campaign investigated by Sophos, attackers exploited SimpleHelp RMM vulnerabilities CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to compromise an MSP and deploy DragonForce across downstream customer environments, with affected victims experiencing both encryption and data theft.

DragonForce is associated in reporting with Scattered Spider/UNC3944 in several 2025 retail intrusions. Multiple sources state that Scattered Spider used or may have used DragonForce ransomware in attacks affecting UK retailers including Marks & Spencer, Co-op, and Harrods, and trusted third-party/government reporting noted recent Scattered Spider deployment of DragonForce alongside its usual social-engineering-led tradecraft. Reporting also states DragonForce publicly claimed responsibility for attacks on Marks & Spencer, Co-op, and Harrods. More broadly, DragonForce is described as part of the Russian-speaking cybercriminal ecosystem, though its affiliate base appears increasingly international and includes English-speaking actors.

The group’s operating model changed over time. It introduced a cartel model in March 2025 allowing affiliates to create their own brands while using DragonForce infrastructure. Reported affiliate requirements shifted from stricter vetting and higher barriers—including verified access, victim revenue thresholds, and later a guarantor or roughly $10,000 Monero deposit—to a lower-barrier model by October 2025 requiring only a roughly $500 registration fee. DragonForce has advertised an 80/20 revenue split favoring affiliates, dual-payment ransom workflows, extortion-support services, and a partner service called Verified for stolen-data analysis, executive letters, and call scripts. It also publicly announced a purported coalition with LockBit and Qilin in September/October 2025, though one report noted no verified evidence of shared infrastructure or joint operations.

Targeting information in the content indicates DragonForce victim claims are concentrated in the United States, which accounted for 56% of observed claims in one report, with additional targeting across Western economies. Sectors specifically cited as heavily targeted include construction, IT services and consulting, manufacturing, architecture and planning, law practice, real estate, machinery manufacturing, software development, and transportation. DragonForce’s stated rules reportedly prohibit attacks on hospitals, government institutions, non-commercial entities, and Russian/CIS or former USSR targets, and separate reporting notes that DragonForce expressly prohibits affiliates from hitting Russian and other CIS organizations.

Activity metrics in the provided reporting show DragonForce as an increasingly prominent ransomware brand: it accounted for 4% of top variants in Q2 2025 in one source, claimed 56 victims in Q3 2025 after roughly tripling monthly victim volume following RansomHub’s shutdown, and posted 101 victims in Q1 2026, a 29% increase from Q4 2025. Additional reporting states DragonForce aggressively recruited affiliates from other ransomware operations, defaced rival leak sites in 2025, and was identified as a possible rival actor in the compromise of LockBit’s affiliate panel. One source also states that in client cases, DragonForce kept its word about deleting stolen data after payment and did not re-extort those victims.