DragonForce | Threat Actor Profile

A rapidly evolving ransomware-as-a-service operation that has branded itself as a "ransomware cartel" to attract displaced affiliates from collapsed groups. Active since December 2023, DragonForce has targeted 363+ organizations across manufacturing, retail, IT, and construction sectors using ransomware built from leaked LockBit 3.0 and Conti v3 source code. The group gained widespread attention in 2025 after executing high-profile attacks on major UK retailers including Marks & Spencer, Co-Op, and Harrods, and has aggressively positioned itself as a dominant force in the RaaS ecosystem through both cooperation and conflict with rival groups.

attributed origin Unknown (disputed Malaysian hacktivist link)

organization type Cybercriminal / RaaS Cartel

first observed August 2023 (DLS: December 2023)

primary motivation Financial / Data Extortion

primary targets Retail, Manufacturing, Construction, IT, Services

confirmed victims 363+ organizations (Dec 2023 – Jan 2026)

affiliate model 80/20 split (affiliate/operator)

target regions United States, United Kingdom, Germany, Australia, Italy

threat level High (escalating)

Overview

DragonForce emerged in December 2023 when a user known as @dragonforce on BreachForums began publishing stolen data and advertising custom ransomware built from leaked LockBit 3.0 and Conti source code. The group's first victim appeared on its "DragonLeaks" data leak site on December 6, 2023. Since then, DragonForce has listed 363 victim organizations through January 2026, with attack volume increasing sharply through 2025 and peaking at 35 victims in a single month in December 2025.

What makes DragonForce distinctive is not technical sophistication but rather its aggressive business strategy. The group has branded itself as a "ransomware cartel," offering affiliates a generous 80/20 revenue split (80% to the affiliate), customizable ransomware payloads for Windows, Linux, ESXi, and NAS platforms, and a portfolio of services beyond standard ransomware operations. These include the RansomBay builder service for generating custom ransomware builds, harassment calling operations against victims, and a "data analysis service" for creating tailored extortion materials — targeting organizations with annual revenue of at least $15 million.

The group's origins remain unclear and contested. Reports have suggested ties to DragonForce Malaysia, a longstanding hacktivist collective. However, in October 2025, DragonForce Malaysia publicly denied any affiliation with the ransomware operation. Leaked BreachForums database records from early 2026 revealed a DragonForce account registered to an email address linked to the "Bjorka" alias, a cyber threat actor associated with high-profile data breaches and the Babuk2 recycled leak operation. The true identity and geographic base of the operators remain unconfirmed.

critical

DragonForce is one of the fastest-growing ransomware operations entering 2026. The group is actively absorbing displaced affiliates from collapsed rivals (particularly RansomHub, which went offline in April 2025), and its cartel branding strategy is attracting new operators seeking anonymity, flexibility, and profit. Its operational relationship with Scattered Spider extends its reach into social engineering-driven intrusions against enterprise targets. Organizations should anticipate campaigns that may not carry the DragonForce brand but instead reflect affiliate operations using its infrastructure.

Cartel Model & Ecosystem Dynamics

DragonForce's cartel strategy is built on managing both alliances and rivalries across the dark web ecosystem. The group has publicly sought cooperation with LockBit and Qilin, while aggressively attacking competitors. In early 2025, DragonForce defaced the leak site of rival group BlackLock within 24 hours of announcing its cartel transition. When RansomHub's infrastructure went offline on April 1, 2025, DragonForce quickly claimed RansomHub had "joined the cartel" and created a dedicated migration portal for former RansomHub affiliates. RansomHub's spokesperson later resurfaced alleging a state-sponsored attack and exposed a supposed traitor, followed by a retaliatory defacement of DragonForce's own leak site.

This pattern of corporate-style marketing, combined with infrastructure-level conflict between rival RaaS groups, represents an evolution in the ransomware ecosystem. DragonForce promotes itself across BreachForums, RAMP, and Exploit forums, emphasizing differentiated offerings to attract affiliates from across the cybercriminal landscape.

Scattered Spider Connection

Significant operational overlap has been identified between DragonForce and Scattered Spider (also known as The Com), a largely U.S.-based cybercriminal group known for social engineering attacks. In several incidents, DragonForce ransomware was deployed during attacks publicly claimed by Scattered Spider, suggesting an affiliate or partnership relationship. The high-profile UK retailer attacks in April-May 2025 demonstrated shared tradecraft between the two groups, including social engineering and phishing techniques for initial access.

Target Profile

DragonForce targets organizations across a broad range of industries, with a preference for high-revenue targets where operational disruption translates directly into financial pressure to pay ransoms.

Retail: The group's highest-profile campaigns have targeted major UK retailers. In April-May 2025, attacks on Marks & Spencer, the Co-Op Group, and Harrods triggered multi-day outages of e-commerce platforms, loyalty programs, and internal operations. DragonForce directly contacted the BBC to amplify pressure on the Co-Op, claiming the breach was larger than the retailer acknowledged.
Manufacturing & Construction: Consistently among the top targeted sectors. Darktrace documented a DragonForce-affiliated attack against a manufacturing company in August 2025, involving network scanning, credential brute-forcing, and eventual file encryption via SMB.
IT & Professional Services: Technology companies, service providers, and supply-chain organizations are targeted for both direct extortion and to gain leverage over downstream clients.
Critical Infrastructure & Services: The group's initial operations in August 2023 targeted companies in critical sectors. As the cartel model scales, broader targeting of healthcare, logistics, and transportation organizations is expected.
Geographic Focus: The United States is the most targeted country, followed by the United Kingdom, Germany, Australia, and Italy. The June 2025 UK retailer campaign brought significant media attention and demonstrated the group's willingness to pursue high-visibility targets.

DragonForce's data analysis service, launched in August 2025, specifically targets organizations with annual revenue of $15 million or more, creating tailored extortion materials designed to maximize ransom negotiation leverage.

Tactics, Techniques & Procedures

DragonForce combines standard RaaS affiliate techniques with a multi-service extortion model. The group provides customizable ransomware payloads while affiliates handle intrusion, lateral movement, and data exfiltration. TTPs vary by affiliate, with Scattered Spider-linked operations showing distinct social engineering tradecraft.

mitre id	technique	description
T1566	Phishing	Spearphishing emails mimicking trusted SSO portals redirect victims to attacker-controlled credential harvesting infrastructure. Scattered Spider-affiliated operations leverage social engineering to request password resets and login details from employees directly.
T1190	Exploit Public-Facing Application	Exploits known vulnerabilities including CVE-2021-44228 (Log4Shell), CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure), CVE-2024-21893 (Ivanti path traversal), and CVE-2024-21412 (Windows SmartScreen bypass). Targets RDP services and VPN appliances using previously obtained credentials.
T1078	Valid Accounts	Harvested credentials are used to access RDP, VPN, and other public-facing services. Brute-force attacks target administrator accounts including common usernames like "administrator", "Admin", "rdpadmin", and "ftpadmin".
T1059.001	PowerShell	Downloads and executes additional malicious payloads via PowerShell. Code written to victim host registry for execution on boot, combining persistence with reflective code loading techniques to conceal activity within legitimate traffic.
T1068	Exploitation for Privilege Escalation	Uses Bring Your Own Vulnerable Driver (BYOVD) technique to load vulnerable kernel drivers that neutralize endpoint security processes, enabling ransomware execution without interference from EDR or antivirus tools.
T1021.002	SMB/Windows Admin Shares	File encryption propagated via SMB protocol across network shares. Darktrace documented DragonForce-affiliated attacks encrypting files using a DragonForce-associated extension via SMB connections to internal file shares.
T1048	Exfiltration Over Alternative Protocol	Data exfiltration conducted over SSH connections to attacker-controlled infrastructure. Darktrace identified outbound exfiltration to an ASN associated with a malicious hosting service geolocated in Russia.
T1486	Data Encrypted for Impact	Uses ChaCha8 encryption with embedded configuration decrypted at runtime. Supports configurable encryption scope (all, local, network, specific paths) and exclusion lists. The "encryption_rules" beta feature allows per-file-extension encryption mode overrides. Targets Windows, Linux, ESXi, and NAS platforms.
T1491.002	External Defacement	Beyond victim extortion, DragonForce conducts infrastructure-level attacks against rival ransomware groups, defacing competitor leak sites (BlackLock, RansomHub) as part of its cartel positioning strategy.
T1489	Service Stop	Process termination via BYOVD technique to disable security products before encryption. On ESXi targets, the ransomware shuts down virtual machines before encrypting VM storage. Linux variants run as daemons with system info collection and MOTD modification post-encryption.

Known Campaigns

Confirmed or attributed operations linked to DragonForce and its affiliate network.

Initial Operations (Critical Sectors) AUG – DEC 2023

DragonForce's earliest ransomware operations targeted companies in critical sectors using a variant of the leaked LockBit 3.0 builder. The group posted its first victim on its DLS on December 6, 2023, disclosing 22 victims that month. Initial framing included pro-Palestinian hacktivist messaging before fully pivoting to profit-driven operations.

Cartel Launch & Affiliate Recruitment EARLY 2025

DragonForce announced its transition to a "ransomware cartel" model, aggressively recruiting affiliates across BreachForums, RAMP, and Exploit forums. Offered a differentiated service portfolio including the DragonForce cartel brand, RansomBay builder, harassment calling, and data analysis services. Absorbed displaced affiliates from BlackLock, RansomHub, and other collapsed operations.

UK Retailer Campaign (Marks & Spencer, Co-Op, Harrods) APR – MAY 2025

The group's highest-profile campaign. Attacks on three major UK retailers triggered multi-day outages of e-commerce platforms, loyalty programs, payment systems, and internal operations. DragonForce directly contacted the BBC to claim the Co-Op breach was more extensive than the retailer admitted. The campaign demonstrated significant overlap with Scattered Spider tradecraft, including social engineering and phishing-based initial access. The consumer goods and services sector in the UK saw a 22% year-over-year increase in attacks during this period.

RansomHub Absorption & Rival Conflicts APR 2025

After RansomHub's infrastructure went offline on April 1, 2025, DragonForce claimed it had joined the cartel and created a migration portal for former RansomHub affiliates. Previously defaced BlackLock's leak site within 24 hours of announcing its cartel transition. RansomHub's spokesperson later emerged alleging a state-sponsored attack and retaliatory defacement of DragonForce's DLS followed.

Manufacturing Sector Intrusion AUG – SEP 2025

Darktrace documented a DragonForce-affiliated attack against a manufacturing company. The attack chain included internal network scanning, administrator credential brute-forcing over eight days, followed by data exfiltration over SSH and file encryption via SMB using DragonForce-associated file extensions. Ransom notes referencing DragonForce were dropped across encrypted systems.

Data Analysis Service Launch AUG 2025

Launched a specialized "data analysis service" for affiliates, creating tailored extortion materials for organizations with annual revenue of $15 million or more. This service mirrors legitimate consulting practices, reflecting the professionalization of ransomware operations toward intelligence-driven extortion with tailored messaging and negotiation strategy.

Sustained Global Operations 2025 – PRESENT

Activity peaked in December 2025 with 35 victims in a single month, the highest recorded level. Combined with the cartel branding and growing affiliate pool, DragonForce listed 363 total victims by January 2026 across manufacturing, retail, IT, construction, and services sectors globally.

Tools & Malware

DragonForce's ransomware is built from leaked source code with proprietary modifications. The group provides affiliates with customizable build generation through its RansomBay service.

DragonForce Ransomware (Windows): Based on leaked LockBit 3.0 and Conti v3 source code with proprietary modifications. Uses ChaCha8 encryption with embedded configuration. Employs BYOVD technique to neutralize endpoint security processes. Metadata structure includes configurable encryption ratio field (expanded from 1 to 4 bytes in recent versions). Beta "encryption_rules" feature allows per-file-extension encryption mode overrides.
DragonForce Ransomware (Linux/ESXi): Targets ESXi, NAS, and RHEL environments. Runs as a daemon on ESXi with VM shutdown capabilities before encryption. Collects system information and modifies MOTD (Message of the Day) post-encryption. Default configurations exclude specified paths with user-defined encryption scope.
RansomBay Builder: Affiliate-facing service for generating custom ransomware builds across Windows, Linux, ESXi, and NAS platforms. Provides a management panel with functionality for client management, build generation, team coordination, content publishing, and support ticket handling. As of January 2026, the original LockBit 3.0-based builder has been discontinued but core functions remain in the evolved codebase.
BYOVD Kernel Drivers: Vulnerable kernel drivers loaded to disable endpoint security products and antivirus before ransomware execution. A standard technique in the DragonForce kill chain across both Windows and ESXi environments.
Credential Harvesting Infrastructure: Spoofed SSO portals and credential harvesting pages, particularly in Scattered Spider-affiliated operations. Used for initial access through harvested credentials applied to RDP and VPN services.

Indicators of Compromise

Publicly available IOCs from threat intelligence reports and incident response engagements.

warning

DragonForce operates as a cartel with multiple affiliates using varying tradecraft. Attacks may not carry the DragonForce brand but instead reflect affiliate operations using its infrastructure. The Scattered Spider connection means social engineering-based intrusions should be considered as potential DragonForce precursors. Monitor DragonForce's DLS and BreachForums for new victim disclosures and affiliate activity.

known cves exploited

cve CVE-2021-44228 — Apache Log4j2 Remote Code Execution (Log4Shell)

cve CVE-2023-46805 — Ivanti Connect Secure Authentication Bypass

cve CVE-2024-21887 — Ivanti Connect Secure Command Injection

cve CVE-2024-21893 — Ivanti Connect Secure Path Traversal

cve CVE-2024-21412 — Microsoft Windows SmartScreen Security Feature Bypass

behavioral indicators

encryption ChaCha8 encryption with 537-byte metadata appended to encrypted files (updated from 534 bytes in earlier versions)

technique BYOVD: Vulnerable kernel driver loading to disable endpoint security before encryption

technique PowerShell payload written to Windows registry for execution on boot (reflective code loading)

technique Data exfiltration over SSH to hosting infrastructure geolocated in Russia

technique Administrator credential brute-forcing targeting common usernames (administrator, Admin, rdpadmin, ftpadmin)

esxi VM shutdown before encryption; daemon execution; system info collection; MOTD modification post-encryption

Mitigation & Defense

Recommended defensive measures for organizations in DragonForce's target profile.

Patch Ivanti, Log4j, and Windows SmartScreen vulnerabilities: DragonForce affiliates exploit known vulnerabilities in internet-facing infrastructure. Prioritize CVE-2021-44228, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21412. Maintain an aggressive patching cadence for all edge devices and VPN appliances.
Defend against social engineering (Scattered Spider overlap): Given the operational relationship with Scattered Spider, implement help desk verification procedures for password reset and MFA reset requests. Train staff to identify phishing emails mimicking SSO portals and to verify identity through independent channels.
Monitor for BYOVD activity: DragonForce uses vulnerable kernel drivers to disable endpoint security. Implement driver block lists (Microsoft's recommended driver block list), monitor for unauthorized driver installations, and enable Windows Defender Credential Guard to prevent unauthorized kernel access.
Restrict and monitor RDP and VPN access: Enforce MFA on all remote access services. Monitor for brute-force attempts against common administrator usernames. Limit RDP exposure and implement account lockout policies.
Implement network segmentation and SMB controls: DragonForce encrypts files via SMB propagation. Segment networks to limit lateral movement, restrict SMB access between workstations, and monitor for anomalous SMB traffic patterns.
Maintain offline, tested backups: DragonForce's dual extortion model combines encryption with data theft. Offline backups ensure recovery from encryption, though the data exfiltration component requires separate mitigation through DLP and network monitoring.
Monitor for exfiltration over SSH: Darktrace documented DragonForce-affiliated data exfiltration over SSH connections to Russian-geolocated hosting. Monitor for anomalous outbound SSH connections, particularly to unfamiliar ASNs, and implement egress filtering.
Prepare for non-branded affiliate operations: DragonForce's cartel model means attacks may be conducted by affiliates using different branding or no branding at all. Detection should focus on behavioral indicators (BYOVD, ChaCha8 encryption metadata, registry-based PowerShell persistence) rather than relying on group attribution alone.

note

DragonForce's success is driven by business model innovation rather than technical sophistication. By lowering barriers to entry, offering competitive affiliate terms, and providing services that mirror legitimate business consulting (data analysis, negotiation support, harassment calling), the group has positioned itself to absorb operators from collapsing rivals. The RaaS market is increasingly resembling a franchise model, and DragonForce is one of its most agile operators. Defenders should anticipate more diverse and aggressive campaigns linked to this group's expanding ecosystem through 2026.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile