DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists Open original source
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations.
Background
DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded.
The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage.
Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom.
Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
Initial Access Methods
Initial access is typically gained via phishing email along with exploitation of known vulnerabilities; alternatively, attackers may leverage leaked or stolen credentials to access internet-facing devices. Cobalt Strike and other COTS tools are used for campaign management, including the execution of additional payloads and implants.
The DragonForce operators also utilize tools like mimikatz, Advanced IP Scanner, PingCastle, and a plethora of Remote Management tools to drill further into victim environments, ensuring both elevated privileges and persistence.
The group also heavily targets RDP services with credential stuffing attacks and VPN weaknesses to gain initial access into systems.
The following vulnerabilities have specifically been associated with past DragonForce intrusions:
- CVE-2021-44228 – Apache Log4j2 Remote Code Execution (“Log4Shell”)
- CVE-2023-46805 – Ivanti Connect Secure and Policy Secure Authentication Bypass
- CVE-2024-21412 – Microsoft Windows SmartScreen Security Feature Bypass
- CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection
- CVE-2024-21893 – Ivanti Connect Secure and Policy Secure Path Traversal
Additionally, DragonForce operators have been observed deploying the SystemBC backdoor for persistence. SystemBC is a multi-platform proxying malware adopted by numerous threat actors to create SOCKS5 tunnels through victim networks.
Ransomware Payloads
Initially, DragonForce ransomware payloads were based entirely on the leaked LockBit (LockBit 3.0/Black) builder. In common with other hacktivist/RaaS groups, early DragonForce operations relied on leaked code and tools that were readily available. The group has since evolved its own branded ransomware, updating the source and producing a more bespoke offshoot with roots in the Conti v3 codebase.
Basic encryption features and ‘under the hood’ functionality remain unchanged, with AES used for primary file encryption and RSA for securing the keys themselves. More recently built Conti-derived samples use the ChaCha8 algorithm, which is touted as providing improved speed over the AES encryption used in the LockBit derived variants.
DragonForce affiliates are provided a robust set of tools within the affiliate panel for building payloads and managing campaigns. Currently, DragonForce affiliates can build multiple variants of the DragonForce ransomware, tailored to specific platforms including Windows, Linux, EXSi, and NAS-specific encryptors.
Each affiliate has the ability to manage multiple builds per-platform for each victim. When building new payloads, affiliates are able to customize many behavioral aspects of the ransomware, including filenames, appended extensions, additional command line scripts, delayed execution options, process termination configuration, and allow and exception lists for file encryption.
DragonForce affiliate panel
Additionally, DragonForce payloads support multiple command-line options:
| -paths | Force run in file-system search mode |
| -vmsvc | Force run in ESXi vim-cmd discovery mode |
| -n | Do not perform encryption/decryption (file discovery only) |
| -h H -m M -s S | Wait H hours, M minutes, S seconds before starting |
| -e M X Y | Encryption mode M with parameters X and Y |
| -p PATH | Override file-system paths for discovery |
| -l LOGFILE | Override the log-file location |
| -i X | Override the number of threads |
| -q | Disable output to STDOUT |
| -v | Verbose logging |
| -vwi ID | Override list of ignored VMs by ID |
| -vwn NAME | Override list of ignored VMs by name |
DragonForce operators utilize multiple tactics and services for data exfiltration. This includes the use of MEGA, but also Living Off the Land (LOTL) methods like basic WebDAV and SFTP transfers to remote servers.
Additionally, affiliates are able to set up collaborative teams within the DragonForce panel, within which they manage communications with team members and victims, manage payments, build payloads, and adjust overall campaign behavior.
Updated ‘White-label’ Branding
In early 2025, DragonForce introduced a ‘white-label’ branding service that allows affiliates to disguise the DragonForce ransomware as a different strain for an additional fee. This also came alongside the announcement of the RansomBay service and portals. The new RansomBay leak sites have been launched to host data stolen by affiliates of these new, expanded, DragonForce services.
DragonForce’s RansomBay logo
In this offering, DragonForce claims to take a 20% share of successful ransomware payouts, allowing the affiliate to keep 80%. This enables enterprising threat actors to launch seemingly unique ransomware operations, while leveraging DragonForce’s infrastructure and code. For the developers, this offering allows DragonForce to profit from attacks by affiliates without having the brand tied to the attack or specific operators.
This move, along with DragonForce’s push to brand itself as a ‘Ransomware Cartel’, illustrates the group’s desire to raise its profile in the crimeware landscape by enabling an ecosystem. Under this model, DragonForce provides the infrastructure, malware, and ongoing support services while affiliates run campaigns under their own branding. This is similar to moves that operations like RansomHub, Rabbit Hole and Dispossessor have previously attempted. All of this points to DragonForce seriously expanding its goals and operations.
SentinelOne Singularity Platform Protects Against DragonForce Ransomware
The SentinelOne Singularity Platform protects against DragonForce Ransomware and associated malicious behaviors. Ransomware activity on Windows and Linux systems is blocked by SentinelOne’s Behavioral Ransomware Protection, along with the Static Detection Engines, with enhanced detection introduced via a Live Security Update in March 2025. SentinelOne customers can find additional details on Live Security update content in the customer support portal.
In addition to detection via SentinelOne’s real-time endpoint protection capabilities, DragonForce can also be detected by enabling Platform Detection rules (details also available via the customer support portal).
Conclusion
While DragonForce continues to blur the line between hacktivism and financial motivation, its recent targeting suggests the group is increasingly motivated by financial rewards.
Although DragonForce’s large-scale cartel model is not the first of its kind, its current successes and the recent demise of rival operations suggest that it will become increasingly attractive both to orphaned ransomware actors and more resourced groups looking to thrive in an increasingly competitive space.
The wave of attacks against UK businesses in recent weeks highlights the ongoing need for strong cybersecurity practices and policies, along with well-developed incident response procedures. Keeping defenses up to date, properly and efficiently configured is critical. Full and contextual visibility into resources and assets is also key in defending against modern ransomware and extortion operations.
Indicators of Compromise
SHA1 Ransom Notes 343220b0e37841dc002407860057eb10dbeea94d ae2967d021890a6a2a8c403a569b9e6d56e03abd c98e394a3e33c616d251d426fc986229ede57b0f f710573c1d18355ecdf3131aa69a6dfe8e674758
SHA1 Payloads 011894f40bab6963133d46a1976fa587a4b66378 0b22b6e5269ec241b82450a7e65009685a3010fb 196c08fbab4119d75afb209a05999ce269ffe3cf
Victim Portals and Data Leak Sites 3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd[.]onion Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad[.]onion Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd[.]onion Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad[.]onion rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid[.]onion rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd[.]onion rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd[.]onion Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion
Social Media TOXID: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 TOXID: 258C79F73CCC1E56863030CD02C2C7C4347F80CAD43DD6A5B219A618FD17853C7BB1029DAE31
Singularity™ Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.