Since its inception in December 2023, the DragonForce ransomware group has carved out a significant presence in the world of cybercrime. Employing a Ransomware-as-a-Service (RaaS) model, they have branded their operations as a ‘cartel’ to consolidate power and influence within the industry. This strategic approach has not only expanded their reach but also attracted a network of affiliates, setting them apart from other criminal organizations.
Strategies and Tools of DragonForce
To bolster their operations, DragonForce leverages several dark web forums such as BreachForums, RAMP, and Exploit for recruitment and promotion. Their services are distinct, offering tools like ‘RansomBay’ for customized payload generation, and harassment calling services to exert pressure on victims. These tactics aim to maximize both psychological and financial impacts on their targets, ensuring higher success rates in ransom payments.
The group provides comprehensive support that rivals legitimate software firms, including data analysis and team coordination tools, enhancing their operational efficiency.
Targeting and Expansion
Between December 2023 and January 2026, DragonForce targeted 363 companies, with a notable increase in attack frequency. December 2025 saw the highest activity, with 35 victims reported in just one month. This data illustrates their growing capacity and intent to expand their reach across diverse industries.
DragonForce’s ambitions extend beyond typical attacks. They engage in adversarial relationships with rival groups, conducting infrastructure-level attacks on competitors while also seeking alliances to reinforce their market position within the RaaS economy.
Technical Advancements in Ransomware
Recent analyses of DragonForce’s Windows binaries reveal consistent encryption routines but notable structural updates. The group continues to use the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security measures, but the metadata associated with encrypted files has been modified, with the ‘Encryption Ratio’ field expanded to four bytes, increasing the metadata size to 537 bytes.
The latest builder version introduces a beta feature called ‘encryption_rules,’ allowing operators to specify encryption modes for different file extensions. The ransomware decrypts its configuration using the ChaCha8 algorithm before executing, offering attackers enhanced control over data encryption, optimizing attack speed, and severity based on the victim’s environment.
DragonForce’s evolving tactics and expanding influence underscore the growing threat they pose in the cybercrime landscape. Their complex strategies, combining cooperation and conflict, aim to dominate the RaaS sector, reflecting their ambition to be a leading force in cybersecurity threats.
