In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks that have caused major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll, and other critical business functions.
DragonForce has previously been attributed to several notable cyber incidents, including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
Below, analysts offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. Also provided is a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations.[1]
Background—DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group initially positioned itself as a pro-Palestine hacktivist-style operation; however, its goals have shifted and expanded.
Modern-day operations are focused on financial gain and extortion, although they still target government entities. This makes it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites and reputational damage.
Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to target law firms and medical practices heavily. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and, more recently, several retail outlets in the United Kingdom.
Some of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, claiming members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
Initial Access Methods—Initial access is typically gained via phishing email and the exploitation of known vulnerabilities; alternatively, attackers may leverage leaked or stolen credentials to access internet-facing devices. Cobalt Strike and other COTS tools are used for campaign management, including executing additional payloads and implants.
The DragonForce operators also utilize tools like mimikatz, Advanced IP Scanner, PingCastle, and a surplus of Remote Management tools to drill further into victim environments, ensuring both elevated privileges and persistence.
The group also heavily targets RDP services, using credential stuffing attacks and VPN weaknesses to gain initial access to systems.
The following vulnerabilities have specifically been associated with past DragonForce intrusions:
CVE-2021-44228 – Apache Log4j2 Remote Code Execution (“Log4Shell”)
CVE-2023-46805 – Ivanti Connect Secure and Policy Secure Authentication Bypass
CVE-2024-21412 – Microsoft Windows SmartScreen Security Feature Bypass
CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection
CVE-2024-21893 – Ivanti Connect Secure and Policy Secure Path Traversal
Additionally, DragonForce operators have been observed deploying the SystemBC backdoor for persistence. SystemBC is a multi-platform proxying malware adopted by numerous threat actors to create SOCKS5 tunnels through victim networks.
Ransomware Payloads—Initially, DragonForce ransomware payloads were based entirely on the leaked LockBit (LockBit 3.0/Black) builder. In common with other hacktivist/RaaS groups, early DragonForce operations relied on leaked code and readily available tools. The group has since evolved its own branded ransomware, updating the source and producing a more bespoke offshoot with roots in the Conti v3 codebase.
Basic encryption features and ‘under the hood’ functionality remain unchanged, with AES used for primary file encryption and RSA for securing the keys themselves. More recently built Conti-derived samples use the ChaCha8 algorithm, which is touted as providing improved speed over the AES encryption used in the LockBit-derived variants.
DragonForce affiliates are provided with robust tools within the affiliate panel for building payloads and managing campaigns. Affiliates can build multiple variants of the DragonForce ransomware tailored to specific platforms, including Windows, Linux, EXSi, and NAS-specific encryptors.
Each affiliate can manage multiple builds per platform for each victim. When building new payloads, affiliates can customize many behavioral aspects of the ransomware, including filenames, appended extensions, additional command-line scripts, delayed execution options, process termination configuration, and allow and exception lists for file encryption.
DragonForce affiliate panel
Additionally, DragonForce payloads support multiple command-line options:
|
-paths |
Force run in file-system search mode |
|
-vmsvc |
Force run in ESXi vim-cmd discovery mode |
|
-n |
Do not perform encryption/decryption (file discovery only) |
|
-h H -m M -s S |
Wait H hours, M minutes, S seconds before starting |
|
-e M X Y |
Encryption mode M with parameters X and Y |
|
-p PATH |
Override file-system paths for discovery |
|
-l LOGFILE |
Override the log-file location |
|
-i X |
Override the number of threads |
|
-q |
Disable output to STDOUT |
|
-v |
Verbose logging |
|
-vwi ID |
Override list of ignored VMs by ID |
|
-vwn NAME |
Override list of ignored VMs by name |
DragonForce operators utilize multiple tactics and services for data exfiltration. This includes using MEGA and Living Off the Land (LOTL) methods like basic WebDAV and SFTP transfers to remote servers. Additionally, affiliates can set up collaborative teams within the DragonForce panel, within which they manage communications with team members and victims, manage payments, build payloads, and adjust overall campaign behavior.
Updated ‘White-label’ Branding—In early 2025, DragonForce introduced a ‘white-label’ branding service that allows affiliates to disguise the DragonForce ransomware as a different strain for an additional fee. This announcement also came alongside the RansomBay service and portals. The new RansomBay leak sites have been launched to host data stolen by affiliates of these new, expanded DragonForce services.
DragonForce’s RansomBay logo
DragonForce claims to take a 20% share of successful ransomware payouts in this offering, allowing the affiliate to keep 80%. This enables enterprising threat actors to launch seemingly unique ransomware operations while leveraging DragonForce’s infrastructure and code. For the developers, this offering allows DragonForce to profit from attacks by affiliates without having the brand tied to the attack or specific operators.
This move and DragonForce’s push to brand itself as a ‘Ransomware Cartel’ illustrate the group’s desire to raise its profile in the crimeware landscape by enabling an ecosystem. Under this model, DragonForce provides the infrastructure, malware, and ongoing support services while affiliates run campaigns under their own branding. This is similar to moves that operations like RansomHub, Rabbit Hole, and Dispossessor have previously attempted. All of these points point to DragonForce seriously expanding its goals and operations.
Conclusion - While DragonForce continues to blur the line between hacktivism and financial motivation, its recent targeting suggests the group is increasingly motivated by financial rewards. Although DragonForce’s large-scale cartel model is not the first of its kind, its current successes and the recent demise of rival operations suggest that it will become increasingly attractive both to orphaned ransomware actors and more resourced groups looking to thrive in an increasingly competitive space.
The recent attacks against UK businesses highlight the ongoing need for strong cybersecurity practices and policies, along with well-developed incident response procedures. It is critical to keep defenses up to date and properly and efficiently configured. Full and contextual visibility into resources and assets is also key in defending against modern ransomware and extortion operations.
Indicators of Compromise
SHA1 Ransom Notes
343220b0e37841dc002407860057eb10dbeea94d
ae2967d021890a6a2a8c403a569b9e6d56e03abd
c98e394a3e33c616d251d426fc986229ede57b0f
f710573c1d18355ecdf3131aa69a6dfe8e674758
SHA1 Payloads
011894f40bab6963133d46a1976fa587a4b66378
0b22b6e5269ec241b82450a7e65009685a3010fb
196c08fbab4119d75afb209a05999ce269ffe3cf
1f5ae3b51b2dbf9419f4b7d51725a49023abc81c
229e073dbcbb72bdfee2c244e5d066ad949d2582
29baab2551064fa30fb18955ccc8f332bd68ddd4
577b110a8bfa6526b21bb728e14bd6494dc67f71
7db52047c72529d27a39f2e1a9ffb8f1f0ddc774
81185dd73f2e042a947a1bf77f429de08778b6e9
a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
b3e0785dbe60369634ac6a6b5d241849c1f929de
b571e60a6d2d9ab78da1c14327c0d26f34117daa
bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c
e164bbaf848fa5d46fa42f62402a1c55330ef562
e1c0482b43fe57c93535119d085596cd2d90560a
eada05f4bfd4876c57c24cd4b41f7a40ea97274c
fc75a3800d8c2fa49b27b632dc9d7fb611b65201
Victim Portals and Data Leak Sites
3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd[.]onion
Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad[.]onion
Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd[.]onion
Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad[.]onion
rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid[.]onion
rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd[.]onion
rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd[.]onion
Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion
Social Media
TOXID: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
TOXID: 258C79F73CCC1E56863030CD02C2C7C4347F80CAD43DD6A5B219A618FD17853C7BB1029DAE31
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.sentinelone.com/blog/dragonforce-ransomware-gang-from-hacktivists-to-high-street-extortionists/
Comments