The cybersecurity panorama has witnessed the emergence of more and more subtle ransomware operations, with DragonForce standing out as a very regarding risk actor that has advanced from politically motivated assaults to large-scale monetary extortion campaigns.
DragonForce ransomware group launched in 2023 as a politically motivated collective, initially focusing on entities that aligned with particular ideological beliefs.
Nevertheless, the group has undergone a major transformation, pivoting towards financially motivated extortion campaigns which have positioned it as one of many extra distinguished ransomware-as-a-service operations lively as we speak.
The group’s evolution displays the broader development of cybercriminal organizations adapting their methods to maximise profitability whereas increasing their operational attain.
Intel 471 analysts recognized that the group operates below what it phrases a “cartel” operation mannequin, whereby actors might create their very own “model” and launch assaults utilizing DragonForce’s infrastructure, instruments, and sources, together with entry to their knowledge leak website.
Question logic (Supply – Intel471)
This method differs barely from conventional RaaS fashions by permitting associates to undertake their very own names fairly than working solely below the DragonForce banner.
The group’s assaults have been documented globally, significantly affecting high-profile targets throughout the retail, monetary, and manufacturing sectors in North America, Europe, and Asia.
The group’s operational methodology facilities round a dual-extortion technique the place attackers encrypt victims’ knowledge whereas concurrently threatening to launch exfiltrated data if ransom calls for aren’t met.
Reasonably than creating proprietary encryption instruments, DragonForce has leveraged leaked ransomware builders from established teams together with LockBit and Conti, demonstrating the interconnected nature of contemporary cybercriminal ecosystems.
Intel 471 researchers have tracked 53 attainable victims of DragonForce all through 2025, highlighting the group’s sustained operational tempo.
Notable incidents linked to DragonForce embrace knowledge breaches affecting main UK retailers Marks & Spencer and Co-op, which precipitated extreme operational disruptions.
These assaults have been attributed to native English-speaking attackers suspected of being DragonForce associates, probably related to the broader TheCom on-line ecosystem, also referred to as Scattered Spider.
Persistence Techniques and Registry Manipulation
DragonForce employs subtle persistence mechanisms to take care of entry to compromised methods, with registry run key modification representing a cornerstone of their operational methodology.
Home windows Occasion Logs ingested into Splunk (Supply – Intel471)
After preliminary system compromise, the group implements persistence methods that guarantee their malware executes robotically upon system restart, successfully sustaining entry even when defenders try to remediate different assault vectors.
The group’s persistence technique entails including malicious packages to startup folders or referencing them by Home windows registry run keys, permitting referenced packages to execute robotically when customers log in.
This system permits sustained entry with out requiring person interplay or repeated social engineering efforts, representing a crucial element of their post-exploitation actions.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
