DragonForce Ransomware Operations and High-Profile Breaches
DragonForce, a ransomware group that has evolved into a self-described "ransomware cartel," has intensified its global operations, targeting organizations with advanced tactics and forming alliances with other cybercriminal collectives. Security researchers have detailed how DragonForce leverages vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security software and has improved its encryption methods to address previously exploited vulnerabilities. The group, which began by using the LockBit 3.0 builder and later adopted a modified Conti v3 source code, now operates a ransomware-as-a-service (RaaS) model, offering affiliates a significant share of profits and customizable tools to attract new participants. Notably, DragonForce has collaborated with groups like Scattered Spider and has been linked to the compromise of major organizations, including a high-profile breach of Marks & Spencer.
Recently, DragonForce claimed responsibility for a significant breach at Mobilelink USA, a major dealer for Cricket Wireless, exfiltrating 5.04 TB of data and threatening to leak sensitive information, including personally identifiable and financial data of millions of customers across 21 states. The group has also reportedly allied with other ransomware gangs such as Qilin and LockBit, and has taken over operations or leak sites from other ransomware groups like RansomHub, BlackLock, and Mamona. In 2025 alone, DragonForce has impacted at least 185 organizations, with most attacks occurring in the last six months, underscoring the growing threat posed by this increasingly organized and aggressive ransomware operation.
Timeline
Dec 3, 2025
DragonForce claims breach of Mobilelink USA
DragonForce claimed on its leak site that it breached Mobilelink USA, a major Cricket Wireless dealer, and exfiltrated 5.04 TB of data. The stolen information was said to potentially include PII and financial data affecting millions of Cricket Wireless customers across 21 states.
Dec 3, 2025
Marks & Spencer breach linked to DragonForce-Scattered Spider activity
The DragonForce and Scattered Spider partnership was tied to the high-profile breach of Marks & Spencer. Scattered Spider reportedly used tactics such as MFA fatigue, SIM swapping, and remote management tools before DragonForce ransomware was deployed.
Dec 3, 2025
DragonForce partners with Scattered Spider for intrusions
DragonForce partnered with the Scattered Spider threat group, combining Scattered Spider's social-engineering-led initial access methods with DragonForce's ransomware deployment. The collaboration enabled more coordinated and high-impact attacks.
Dec 3, 2025
DragonForce expands through alliances with other ransomware groups
DragonForce formed alliances with other ransomware actors, including Qilin and LockBit, and was reported to have taken over the RansomHub operation while compromising the leak sites of BlackLock and Mamona. This marked a significant expansion of its criminal ecosystem and operational reach.
Dec 3, 2025
DragonForce updates malware to improve evasion and encryption
By late 2025, DragonForce released newer variants that abused vulnerable drivers to disable security tools and improved encryption to fix flaws documented in earlier versions. These changes reflected a technical maturation of the ransomware.
Jan 1, 2023
DragonForce ransomware emerges as a RaaS operation
DragonForce emerged in 2023 as a ransomware-as-a-service operation. It later evolved into a broader 'ransomware cartel' model designed to attract affiliates with high profit shares and customizable infrastructure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
DragonForce Ransomware Expands RaaS Operations With Dual-Extortion and a “Cartel” Affiliate Model
**DragonForce**, a ransomware-as-a-service (RaaS) operation that emerged in 2023, has been linked to a growing set of intrusions targeting “critical business” environments across multiple industries, with a focus on **manufacturing, business services, technology, and construction**. Reporting attributes the group with **dual-extortion** tactics—stealing data prior to encryption and then threatening publication on a **data leak site (DLS)** to increase pressure on victims. Researchers also describe DragonForce as operationally adaptable, including changes in how it hosts and organizes leaked victim data. LevelBlue analysis cited in reporting indicates DragonForce has evolved its business approach beyond a typical affiliate program into a **“cartel” model**, allowing member groups to operate under their own brands while leveraging shared DragonForce infrastructure and services. Described offerings to affiliates include large-scale storage, continuous server monitoring, support services around file analysis/decryption, and assistance with test attacks; LevelBlue also highlighted an “**Company Data Audit**” service intended to help affiliates value stolen data and shape negotiation pressure (including prepared communications such as scripts and executive-facing letters). The group’s tooling is described as **multi-platform**, with the ability to target **Windows, Linux, ESXi, BSD, and NAS** systems and to use different encryption modes (e.g., full, header, partial), increasing potential impact across enterprise and virtualized environments.
1 months ago
Ransomware Ecosystem Fragmentation and the Emergence of DragonForce
Threat intelligence reporting describes **DragonForce** as a rapidly evolving ransomware operation that brands itself as a “cartel” and runs an affiliate service called *Ransombay*, offering customizable payload options and reportedly advertising an **80% revenue split** to attract pentesters and initial access brokers. Researchers assess DragonForce’s tooling as heavily derived from **LockBit 3.0** and **Conti**, and report signs of consolidation behavior, including infrastructure/code overlap with groups such as **BlackLock**, **RansomHub**, and **LockBit**; one cited incident involved DragonForce abusing a rival’s misconfiguration and a **Local File Inclusion (LFI)** weakness to obtain information including credentials, followed by defacement of the rival’s leak site. Separate industry reporting indicates ransomware victimization continued to rise sharply in 2025, with GuidePoint Security tracking a **58% year-over-year increase** and **7,515 claimed victims** across leak sites, alongside a more **fragmented** landscape (124 named groups, up 46% from 2024). The same reporting highlights concentration of victimization in the **United States (55%)** and heavy targeting of **manufacturing**, with healthcare also significantly impacted (500+ victims) and **Qilin** described as the most prolific RaaS group in 2025 with disproportionate healthcare targeting—context that aligns with the broader trend of many smaller, high-volume groups rather than a few dominant actors.
1 months ago
DragonForce Ransomware Technical Analysis and Availability of a Decryptor
Security researchers published a technical breakdown of **DragonForce ransomware**, a ransomware operation that evolved from early underground forum activity into a broader *ransomware-as-a-service (RaaS)* model targeting both **Windows** and **VMware ESXi** environments. Reporting attributes DragonForce’s code lineage to leaked **LockBit 3.0** and **Conti** code, with a custom build that heavily obfuscates strings and supports flexible encryption modes across local disks and network shares. Observed intrusion tradecraft includes initial access via exposed remote services (notably RDP), followed by lateral movement tooling such as **Cobalt Strike** and **SystemBC**, culminating in encryption of file servers and virtual machines and pressure via a dark web presence advertising stolen data. S2W’s analysis describes DragonForce’s cryptography and operator options, including **ChaCha8** for file encryption with **RSA-4096** key protection, command-line flags to select local vs network targeting and partial-encryption ratios, and optional behaviors such as Base32-encoding original filenames and changing icons/wallpaper. Critically, S2W reports obtaining a **working decryptor** for certain DragonForce cases on both platforms: the Windows decryptor targets files with the `.RNP` extension, while the ESXi decryptor checks for `.RNP_esxi` files and a specific 8-byte magic value (`build_key`), potentially enabling recovery without ransom payment for affected victims. Separate reporting on **DeadLock ransomware** describes a different operation using Polygon smart contracts to rotate proxy infrastructure and is not part of the DragonForce activity.
1 months ago