DragonForce Ransomware Expands RaaS Operations With Dual-Extortion and a “Cartel” Affiliate Model
DragonForce, a ransomware-as-a-service (RaaS) operation that emerged in 2023, has been linked to a growing set of intrusions targeting “critical business” environments across multiple industries, with a focus on manufacturing, business services, technology, and construction. Reporting attributes the group with dual-extortion tactics—stealing data prior to encryption and then threatening publication on a data leak site (DLS) to increase pressure on victims. Researchers also describe DragonForce as operationally adaptable, including changes in how it hosts and organizes leaked victim data.
LevelBlue analysis cited in reporting indicates DragonForce has evolved its business approach beyond a typical affiliate program into a “cartel” model, allowing member groups to operate under their own brands while leveraging shared DragonForce infrastructure and services. Described offerings to affiliates include large-scale storage, continuous server monitoring, support services around file analysis/decryption, and assistance with test attacks; LevelBlue also highlighted an “Company Data Audit” service intended to help affiliates value stolen data and shape negotiation pressure (including prepared communications such as scripts and executive-facing letters). The group’s tooling is described as multi-platform, with the ability to target Windows, Linux, ESXi, BSD, and NAS systems and to use different encryption modes (e.g., full, header, partial), increasing potential impact across enterprise and virtualized environments.
Timeline
Feb 5, 2026
DragonForce expands into a global multi-industry threat
After its emergence, DragonForce grew into a significant global threat targeting critical business infrastructure in sectors including manufacturing, business services, technology, and construction. Reported victim concentrations were highest in the United States, United Kingdom, Germany, Australia, and Italy.
Feb 4, 2026
DragonForce manipulates rival ecosystem and draws FSB-linked accusations
Researchers said DragonForce defaced a rival leak site and tried to mislead other affiliates about cartel membership as part of broader ecosystem manipulation. These actions prompted accusations that the group may be linked to Russia's FSB.
Feb 4, 2026
DragonForce adopts a cartel-style affiliate model
LevelBlue reported that DragonForce began formalizing a cartel-like structure in which affiliates can create their own brands while operating under the DragonForce umbrella and shared infrastructure. Shared services include storage, server monitoring, file analysis and decryption support, and a 'Company Data Audit' to improve extortion leverage.
Feb 4, 2026
Researchers document DragonForce's cross-platform malware capabilities
Reporting found DragonForce ransomware supports Windows, Linux, ESXi, BSD, and NAS environments, with features such as multithreading, detailed logging, dry-run testing, SMB reconnaissance, and shadow-copy deletion. Analysts also noted code and functionality overlaps with leaked Conti source code.
Feb 4, 2026
DragonForce evolves leak-site and extortion operations
DragonForce shifted from dedicated victim leak sites to a centralized domain for hosting stolen data, reflecting a more adaptable extortion model. Researchers also described the group as using intelligence-driven extortion tactics, including tailored messaging and data valuation support.
Dec 1, 2023
DragonForce ransomware operation emerges
DragonForce emerged as a ransomware-as-a-service operation in late 2023. It began operating as a dual-extortion threat, encrypting victim systems while stealing data for use in ransom negotiations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
DragonForce Ransomware Operations and High-Profile Breaches
DragonForce, a ransomware group that has evolved into a self-described "ransomware cartel," has intensified its global operations, targeting organizations with advanced tactics and forming alliances with other cybercriminal collectives. Security researchers have detailed how DragonForce leverages vulnerable drivers such as `truesight.sys` and `rentdrv2.sys` to disable security software and has improved its encryption methods to address previously exploited vulnerabilities. The group, which began by using the LockBit 3.0 builder and later adopted a modified Conti v3 source code, now operates a ransomware-as-a-service (RaaS) model, offering affiliates a significant share of profits and customizable tools to attract new participants. Notably, DragonForce has collaborated with groups like Scattered Spider and has been linked to the compromise of major organizations, including a high-profile breach of Marks & Spencer. Recently, DragonForce claimed responsibility for a significant breach at Mobilelink USA, a major dealer for Cricket Wireless, exfiltrating 5.04 TB of data and threatening to leak sensitive information, including personally identifiable and financial data of millions of customers across 21 states. The group has also reportedly allied with other ransomware gangs such as Qilin and LockBit, and has taken over operations or leak sites from other ransomware groups like RansomHub, BlackLock, and Mamona. In 2025 alone, DragonForce has impacted at least 185 organizations, with most attacks occurring in the last six months, underscoring the growing threat posed by this increasingly organized and aggressive ransomware operation.
1 months ago
Ransomware Ecosystem Fragmentation and the Emergence of DragonForce
Threat intelligence reporting describes **DragonForce** as a rapidly evolving ransomware operation that brands itself as a “cartel” and runs an affiliate service called *Ransombay*, offering customizable payload options and reportedly advertising an **80% revenue split** to attract pentesters and initial access brokers. Researchers assess DragonForce’s tooling as heavily derived from **LockBit 3.0** and **Conti**, and report signs of consolidation behavior, including infrastructure/code overlap with groups such as **BlackLock**, **RansomHub**, and **LockBit**; one cited incident involved DragonForce abusing a rival’s misconfiguration and a **Local File Inclusion (LFI)** weakness to obtain information including credentials, followed by defacement of the rival’s leak site. Separate industry reporting indicates ransomware victimization continued to rise sharply in 2025, with GuidePoint Security tracking a **58% year-over-year increase** and **7,515 claimed victims** across leak sites, alongside a more **fragmented** landscape (124 named groups, up 46% from 2024). The same reporting highlights concentration of victimization in the **United States (55%)** and heavy targeting of **manufacturing**, with healthcare also significantly impacted (500+ victims) and **Qilin** described as the most prolific RaaS group in 2025 with disproportionate healthcare targeting—context that aligns with the broader trend of many smaller, high-volume groups rather than a few dominant actors.
1 months ago
Ransomware Ecosystem Updates: DragonForce, The Gentlemen, Gunra, and Reynolds BYOVD Evasion
Multiple reports detailed **emerging and evolving ransomware operations** and the tactics they use to scale. **DragonForce** has positioned itself as a “cartel”-style **Ransomware-as-a-Service (RaaS)** operation, using dark web forums (e.g., BreachForums, RAMP, Exploit) for recruitment and promotion, and advertising capabilities such as a payload builder (“RansomBay”) and victim-pressure services (including harassment calls). Separate profiling described **The Gentlemen** as an emerging double-extortion ransomware group first clearly observed in active campaigns in 2025, with a Go-based locker supporting **Windows, Linux, and ESXi**, and an operator-controlled execution model that requires a password parameter. Additional research reported **Gunra** as a RaaS operation with a newly launched affiliate program advertised on dark web forums in January 2026; researchers claimed access to affiliate-panel credentials and obtained a live sample for technical analysis, describing configurable attack parameters, selective encryption, and path exclusions to preserve system operability for payment. Separately, analysis of the **Reynolds** ransomware family highlighted built-in **BYOVD** defense evasion, bundling a vulnerable `NsecSoft NSecKrnl` driver within the ransomware payload to disable EDR—an approach that reduces the need for a separate pre-ransomware EDR-killer stage and reflects continued innovation in endpoint security bypass techniques.
1 months ago