First surfacing in August 2023, DragonForce originated from Malaysia as a Pro-Palestinian hacktivist group. Over time, it has evolved into a hybrid threat actor, blending political targeting with financial extortion. Now, DragonForce runs a sophisticated ransomware-as-a-service (RaaS) model, complete with affiliate panels, payload customization tools, and its own RansomBay leak platform.
Recent DragonForce victims span retail, government, law, and healthcare sectors. While attacks on political and critical infrastructure persist, recent waves of attacks have hit major UK retailers, affecting payment systems, payroll, inventory, and logistics.
DragonForce affiliates reportedly operate independently using a white-label ransomware service, allowing them to disguise ransomware strains while using DragonForce’s infrastructure for malware development, data leak hosting, and payment processing.
Infiltration Tactics and Payload Delivery: From Phishing to SLA Bypass
DragonForce’s attacks are multi-stage and highly automated, leveraging a variety of tools for both access and persistence:
-
Initial Access: Phishing emails, credential stuffing for RDP/VPN, or exploiting known vulnerabilities (e.g., Log4Shell, Ivanti flaws)
-
Tools Used Post-Breach: Mimikatz, Advanced IP Scanner, PingCastle, SystemBC proxy malware
-
Ransomware Deployment: First using LockBit 3.0 code, the group later migrated to a Conti v3-based encryption engine supporting AES, RSA, and ChaCha8 algorithms for enhanced speed and encryption reliability
Key vulnerabilities linked to DragonForce attacks include:
-
CVE-2021-44228 (Log4Shell)
-
CVE-2024-21887, CVE-2024-21893 (Ivanti Connect Secure RCE)
-
CVE-2024-21412 (Windows SmartScreen bypass)
DragonForce payloads are custom-built via affiliate panels that allow campaign operators to tailor attack execution—including encryption delay, VM exclusions, logging paths, and behavioral scripts. Ransomware samples exist for Windows, Linux, ESXi, and NAS systems.
Command-line options embedded in the ransomware help streamline encryption targeting, delay execution, and control behavior—making DragonForce payloads highly modular and stealthy.
White-Label Ransomware Cartel Model & UK Retail Disruptions
In early 2025, DragonForce launched a ‘white-label’ branding service, enabling affiliates to carry out campaigns under different names in exchange for a 20% revenue share. These attacks appear increasingly organized, and evidence suggests coordination among affiliates linked to The Com, a loose cybercrime collective.
DragonForce’s RansomBay leak sites now host stolen data from UK-based retail victims. Meanwhile, affiliates continue launching campaigns across multiple regions, targeting high-value sectors with large user bases and operational complexity.
DragonForce ransomware is evolving into a cartel, resembling the earlier operations of RansomHub and Dispossessor. This shift offers affiliate attackers:
-
Tailored ransomware payloads
-
Custom branding & leak hosting
-
Dedicated support and campaign tools
Defensive Recommendations and Mitigation
To defend against DragonForce’s campaigns, organizations should focus on both preventive security and active threat hunting, including:
-
Patch Management: Apply patches for known vulnerabilities (especially Ivanti and Log4j)
-
Multi-Factor Authentication (MFA): On all external-facing services
-
Disable/Restrict RDP: Harden remote access and monitor for brute-force attempts
-
Endpoint Detection & Response (EDR/XDR): Implement tools with behavioral detection and rollback capabilities
-
Monitor Data Exfiltration: Watch for suspicious SFTP/WebDAV/MEGA uploads
-
Network Segmentation: Reduce lateral movement across environments
SentinelOne’s Singularity platform currently offers real-time protection against DragonForce ransomware, with detection via behavioral engines and live security updates rolled out in March 2025.
DragonForce’s transition from a politically motivated actor to a full-fledged ransomware cartel marks a new phase in cybercrime. Its modular payloads, white-label services, and affiliate-driven expansion reflect a mature, profitable, and dangerous ecosystem.
With the UK retail sector already facing operational breakdowns due to DragonForce, this campaign underscores the urgency for strengthened cybersecurity measures, intelligence sharing, and proactive detection strategies across industries vulnerable to extortion.