DragonForce's rising influence: Retailer assaults fueling its increased recognition
Cybersecurity icons have been sounding the alarm in recent weeks as a notorious ransomware group, named DragonForce, has made its debut. This malefactor organization has claimed responsibility for crippling UK retail titans Marks & Spencer and the Co-op in a series of recent attacks.
Originated as a hacktivist collective known as DragonForce Malaysia in 2023, this club has since morphed into a financially motivated ransomware operator while maintaining some political inclinations.
DragonForce operates as a ransomware-as-a-service (RaaS) platform, offering malware and attack infrastructure to associate groups that lack the resources for a large-scale assault. Known for supporting double extortion ransomware attacks, this group has been implicated in an escalating number of enterprise breaches.
Cyber threat intelligence analyst and ransomware expert at Group-IB, Giovanni Barbieri, discussed the growing menace of DragonForce and its tactics with our platform. According to Barbieri, this ransomware group was first discovered in late 2023 and commenced RaaS operations in the summer of 2024, eventually making it onto Group-IB's list of 'top 10 masked actors' for the year.
In a unique twist, DragonForce provides RaaS services while allowing affiliates the freedom to operate under their own brand. This unprecedented approach is believed to attract less sophisticated cybercriminals who lack the infrastructure or capability to manage such operations.
Between January and March 2024, DragonForce exposed 32 victims on its leak site, compared to 58 over the same period in 2025. This indicates the success of the affiliate program and the popularity of DragonForce's services among hacking groups. Furthermore, the group's alluring 20% cut of profits from attacks may act as an incentive for other organizations to join their ranks.
While details about DragonForce's attack methodology are still emerging, it is known that they use a variant of the LockBit ransomware strain, as well as one derived from Conti, alongside legitimate tools such as Cobalt Strike and the botnet malware SystemBC. Their approach involves the bring your own vulnerable driver (BOYVD) technique, exploiting legitimate drivers containing known vulnerabilities added to a target’s network.
The exact location of DragonForce remains undetermined, with links to the hacktivist group DragonForce Malaysia being tenuous at best. However, the group's rule against targeting countries in the Commonwealth of Independent States (former Soviet states) could suggest its origins. Nonetheless, more research is needed before definitive conclusions can be drawn about the individuals behind the operation.
Barbieri cautioned that ransomware attacks continue to pose significant risks for all organizations and urged against paying ransoms. He explained that these payments finance cybercrime, fund RaaS infrastructure improvements, and could make a company a target for future attacks.
In conclusion, DragonForce represents a substantial threat to the global landscape as a sophisticated ransomware cartel offering a white-label RaaS model to a multitude of cybercriminals. While the group's origin remains uncertain, its double-extortion approach and unique approach to attracting affiliates warrant close monitoring. Organizations are advised to prioritize robust cybersecurity measures and refrain from succumbing to ransom demands.
- To counter the threat posed by the sophisticated ransomware group DragonForce, it's crucial for organizations to bolster their cybersecurity infrastructure, particularly focusing on technology that can identify and mitigate double extortion attacks.
- In light of the escalating number of enterprise breaches, it's essential for cybersecurity experts to keep a close eye on the operations of DragonForce, and recommend technology solutions that can prevent organizations from becoming victims of ransomware-as-a-service (RaaS) platforms such as DragonForce.
