The cybersecurity landscape has witnessed the emergence of increasingly sophisticated ransomware operations, with DragonForce standing out as a particularly concerning threat actor that has evolved from politically motivated attacks to large-scale financial extortion campaigns.
DragonForce ransomware group launched in 2023 as a politically motivated collective, initially targeting entities that aligned with specific ideological beliefs.
However, the group has undergone a significant transformation, pivoting toward financially motivated extortion campaigns that have positioned it as one of the more prominent ransomware-as-a-service operations active today.
The group’s evolution reflects the broader trend of cybercriminal organizations adapting their strategies to maximize profitability while expanding their operational reach.
Intel 471 analysts identified that the group operates under what it terms a “cartel” operation model, whereby interested actors may create their own “brand” and launch attacks using DragonForce’s infrastructure, tools, and resources, including access to their data leak site.
This approach differs slightly from traditional RaaS models by allowing affiliates to adopt their own names rather than operating exclusively under the DragonForce banner.
The group’s attacks have been documented globally, particularly affecting high-profile targets across the retail, financial, and manufacturing sectors in North America, Europe, and Asia.
The group’s operational methodology centers around a dual-extortion strategy where attackers encrypt victims’ data while simultaneously threatening to release exfiltrated information if ransom demands are not met.
Rather than developing proprietary encryption tools, DragonForce has leveraged leaked ransomware builders from established groups including LockBit and Conti, demonstrating the interconnected nature of modern cybercriminal ecosystems.
Intel 471 researchers have tracked 53 possible victims of DragonForce throughout 2025, highlighting the group’s sustained operational tempo.
Notable incidents linked to DragonForce include data breaches affecting major UK retailers Marks & Spencer and Co-op, which caused severe operational disruptions.
These attacks have been attributed to native English-speaking attackers suspected of being DragonForce affiliates, potentially connected to the broader TheCom online ecosystem, also known as Scattered Spider.
Persistence Tactics and Registry Manipulation
DragonForce employs sophisticated persistence mechanisms to maintain access to compromised systems, with registry run key modification representing a cornerstone of their operational methodology.
After initial system compromise, the group implements persistence techniques that ensure their malware executes automatically upon system restart, effectively maintaining access even when defenders attempt to remediate other attack vectors.
The group’s persistence strategy involves adding malicious programs to startup folders or referencing them through Windows registry run keys, allowing referenced programs to execute automatically when users log in.
This technique enables sustained access without requiring user interaction or repeated social engineering efforts, representing a critical component of their post-exploitation activities.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
