Executive Summary and Group Overview
DragonForce is a profit-motivated ransomware operation that emerged in late 2023 and rapidly evolved from a standard Ransomware-as-a-Service program into what it publicly styles as a "ransomware cartel." As of mid-2026 it remains fully operational, with over 363 claimed victims across retail, logistics, technology, industrial, and government sectors. Its defining feature is a white-label affiliate model: partners can operate entirely independent brands and extortion portals on DragonForce's backend infrastructure, enabling operational resilience against law enforcement disruption of any single brand.
The group attracted global attention in April-May 2025 when affiliates, operating in conjunction with social-engineering actors assessed as linked to the Scattered Spider cluster (UNC3944), breached three major UK retailers. The combined financial impact of the Marks & Spencer and Co-op attacks was classified as a single combined cyber event with assessed impact of £270 million to £440 million ($363M to $592M). The UK National Crime Agency arrested four individuals in July 2025 in connection with these incidents, though no charges against DragonForce core operators have been filed.
| Attribute | Detail |
|---|---|
| Common name | DragonForce; DragonForce Ransomware Cartel (DFRC) |
| Aliases | DragonForce Ransomware, DFRC; distinct from DragonForce Malaysia (hacktivist collective) |
| Vendor tracking designations | Water Tambanakua (Trend Micro); by name only: Group-IB, Fortinet, WatchGuard, Sophos, Barracuda, Broadcom/Symantec, SentinelOne, Blackpoint Cyber, Intel 471, Darktrace; CrowdStrike, Secureworks, Microsoft, Mandiant, Unit 42: no separate named cluster designation confirmed in open sources as of May 2026 |
| Operational model | RaaS (2023-early 2025); white-label cartel model (March 2025 onward) |
| Extortion mechanic | Double extortion (encryption + data publication threat) |
| Revenue split | 80% affiliate / 20% core operator |
| Assessed jurisdiction | Unknown; possible CIS nexus (CREDIBLE LOW; see Section 08) |
| Code lineage | LockBit 3.0 and Conti v3 builders (opportunistic reuse; no personnel continuity implied) |
| LE disruption status | 4 arrests (NCA, July 2025); no infrastructure seizure; no OFAC sanctions as of May 2026 |
| Decryptor availability | No public universal decryptor available |
Lineage and Organizational Heritage
DragonForce Ransomware first appeared publicly in late 2023, with the Ohio Lottery (December 2023) and Yakult Australia among its earliest documented victims. A dedicated leak site ("DragonLeaks") and formal RaaS affiliate program followed in early 2024. By June 2024 the group was actively recruiting affiliates via the RAMP underground forum. In March 2025 the operators publicly announced a shift to a "cartel" model. The operation has been continuously active since its emergence.
Multiple independent technical analyses confirm that DragonForce's ransomware payloads draw on leaked builder code from LockBit 3.0 and Conti v3. Early samples were closely copied from the LockBit 3.0/Black builder family; later samples shifted toward a Conti v3 derived code base. Crypto stacks are generally AES + RSA, with some ChaCha8 variants documented for speed optimization. This reflects opportunistic reuse of publicly available leaked builders and does not imply organizational continuity with LockBit or Conti leadership structures. Confidence in code overlap: CONFIRMED (Group-IB, Trend Micro, Loginsoft, Barracuda, SOCRadar, Resecurity, Barracuda independently report this).
The practical implication for attribution: the vendor designations Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) describe the parent Conti organization. Neither designation applies to DragonForce. DragonForce is not a Conti successor in the personnel-continuity sense; it is a separate operation that weaponized leaked Conti tooling. Trend Micro's designation Water Tambanakua is specific to DragonForce.
Operational Model
DragonForce operates as a criminal service platform rather than a single operational unit. The core team provides infrastructure, while affiliated operators and sub-brands conduct intrusions. This model is designed explicitly to decouple the tooling from any individual brand, reducing law enforcement leverage against the central operation.
Services provided to cartel members include: administration and client management panels; encryption payload builders with configurable parameters; ransom note generators; negotiation tooling and victim communication portals; file storage and hosting for exfiltrated data; Tor-based DLS infrastructure with custom .onion domains; and dedicated technical support and negotiation assistance for affiliates.
- Revenue split: 80% to affiliates, 20% retained by core operators. Publicly advertised on underground forums including RAMP.
- Recruitment channels: RAMP (Russian-language dark web forum), Telegram-adjacent channels, and direct outreach to displaced affiliates from disrupted groups (e.g., RansomHub, BlackLock).
- Entry requirements: Prior intrusion experience and ability to obtain initial access. Targeting rules include a stated prohibition on attacks within Russia and other former Soviet Union states (CIS) and a self-reported avoidance of healthcare organizations. Enforcement of these rules across all affiliates is not independently verified.
- White-label option: Partners may operate entirely under a different brand name with separate DLS portals on DragonForce infrastructure. The "RansomBay" sub-brand is the first documented example, incorporating elements of the DragonForce logo while operating under a distinct identity.
DragonForce employs double extortion as its core pressure mechanism: data is exfiltrated prior to encryption, creating two independent leverage points. Payment deadlines are enforced with countdown timers on the DLS. Ransom demands for large enterprises have been reported in the multi-million dollar range, with negotiation reductions of 30-60% reported across multiple incidents.
In high-profile campaigns, the group has escalated beyond victim communications to direct outreach to executives (M&S CEO) and media engagement (BBC). Data auction threats and harassment of victim customers or partners have also been documented. Victim communication takes place through Tor-accessible chat portals linked via unique IDs in ransom notes.
For victims with functional backups, DragonForce's primary remaining leverage is the data publication threat. The group advertises that paying the ransom prevents onward sale or publication of exfiltrated data, though no mechanism enforces this commitment.
Technical Capabilities
DragonForce and its affiliates use a range of initial access methods. Phishing with malicious attachments or links is a documented baseline approach. Exploitation of public-facing vulnerabilities has been confirmed across multiple incidents:
| CVE | Product | Type | Confidence |
|---|---|---|---|
| CVE-2021-44228 | Apache Log4j (Log4Shell) | Remote Code Execution | Confirmed |
| CVE-2023-46805 | Ivanti Connect Secure | Authentication Bypass | Confirmed |
| CVE-2024-21887 | Ivanti Connect Secure | Command Injection | Credible |
| CVE-2024-21893 | Ivanti Connect Secure | Path Traversal (SSRF) | Credible |
| CVE-2024-21412 | Microsoft Windows SmartScreen | Security Feature Bypass | Credible |
Affiliates also leverage stolen or cracked credentials and valid account access. In the UK retail incidents, initial access was obtained via social engineering against IT helpdesk services (voice phishing/vishing targeting service desk contractors), consistent with Scattered Spider/UNC3944 TTPs rather than DragonForce-specific tooling.
- Backdoor and C2: SystemBC for persistent backdoor access; SimpleHelp RMM software exploited for remote control; Cobalt Strike-compatible beacons for C2 communications.
- Credential access: Mimikatz for credential harvesting; NTDS.dit (Active Directory database) theft to enable quiet authenticated lateral movement at scale.
- Defense evasion: Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable EDR and security tooling; XDR/EDR bypass capabilities advertised in RaaS recruitment materials.
- Deployment: Domain controllers and scripts used for mass deployment of encryptors across networks; administrator account creation for persistence.
- Exfiltration: Data exfiltration precedes encryption; exfiltrated material stored on DragonForce-controlled file hosting infrastructure.
DragonForce implements hybrid encryption: AES symmetric encryption per file with asymmetric RSA key wrapping as the primary scheme; ChaCha8 variants have been observed in some samples for increased throughput speed. Multi-threaded encryption is supported to maximize speed on target systems. Volume shadow copies are deleted to impede recovery. File extensions are modified post-encryption.
DragonForce targets Windows environments as its baseline. Cross-platform capabilities derived from the LockBit and Conti leaked code expand coverage to Linux, VMware ESXi (confirmed in M&S attack: virtual machines encrypted), BSD platforms, and some NAS devices. The VMware ESXi targeting variant was specifically weaponized in the April 2025 UK retail campaign to encrypt virtual machines supporting e-commerce and payment processing at scale.
DragonForce's affiliate rules, documented by The Register and Barracuda, explicitly prohibit attacks on Russia and other former Soviet Union states (CIS). Whether this constraint is implemented at the binary level (keyboard/locale check) or enforced only through affiliate rules is not confirmed in available technical analyses. The Perplexity research document notes that public binary analyses do not consistently document explicit CIS keyboard checks; however, the affiliate-rule prohibition is separately confirmed. The combination of RAMP advertising (Russian-language forum), CIS exclusion rules, and use of tools common in Russian-speaking criminal ecosystems collectively constitute a credible (though not confirmed) CIS nexus indicator. Confidence: CREDIBLE.
Financial Infrastructure
DragonForce demands ransoms in Bitcoin as the primary payment channel. Scattered references to privacy coin support exist in open sources but are not consistently documented. Bitcoin's traceability makes on-chain forensics possible in principle; however, as noted below, no major blockchain analytics firm has published a detailed DragonForce-specific analysis.
TRM Labs, Chainalysis, and Elliptic have not published dedicated DragonForce blockchain forensics in open sources as of May 2026. This is a material intelligence gap. In the absence of published on-chain analysis, generic RaaS laundering patterns are the relevant reference: multi-stage wallet hopping, use of mixing or coin-swap services, and eventual cash-out through less regulated exchanges. These patterns are inferred from the broader RaaS ecosystem; they are not specifically documented for DragonForce.
The high-profile nature of the UK retail attacks (£270M-£440M classified as a single combined event) increases the probability that on-chain analysis is ongoing at law enforcement level and may not be publicly disclosed until indictments or forfeiture proceedings materialize.
As of May 2026, no OFAC designations, UK OFSI sanctions, or EU asset freeze designations have been publicly announced targeting DragonForce, its core operators, or named wallet addresses. The July 2025 NCA arrests have not yet resulted in publicly disclosed forfeiture orders. Any organization considering ransom payment should treat DragonForce as high-risk from a sanctions-compliance standpoint notwithstanding the absence of a formal designation, given the UK charges and ongoing NCA investigation.
Victim Profile and Targeting
| Sector | Notable Victims | Confidence |
|---|---|---|
| Retail | Marks & Spencer (UK), Co-op Group (UK), Harrods (UK) | CONFIRMED |
| Lottery / Government-adjacent | Ohio Lottery (USA); Palau government | CONFIRMED |
| Food and beverage | Yakult Australia | CONFIRMED |
| Industrial / OT | 15+ industrial targets Q1 2025 per Dragos | CREDIBLE |
| Logistics / Shipping | Unnamed; documented in Group-IB and Bridewell reporting | CREDIBLE |
| Technology / MSP | MSP via SimpleHelp RMM exploitation | CONFIRMED |
| Luxury retail | Belk (USA) claimed on DLS | CREDIBLE |
Geographic distribution: Origins concentrated in the Asia-Pacific and Middle East region (consistent with DFM overlap theory); subsequent expansion into the United Kingdom, Continental Europe, and North America. The UK retail campaign (April-May 2025) and confirmed US targeting suggest active geographic expansion. Dragos and Mandiant both note threat actor interest in expanding the UK retail campaign model to US retail targets.
DragonForce publicly claims avoidance of healthcare targets. The group's BleepingComputer statement: "We don't attack cancer patients or anything heart related, we'd rather send them money and help them." This is a self-reported constraint and remains unverified across all affiliate activity. Analysts should treat healthcare avoidance as a soft, non-verified constraint that may not hold under the cartel/white-label model where affiliate enforcement is decentralized.
Affiliate rules prohibit attacks on Russia and former Soviet Union states (CIS). No prohibition on attacks against Malaysian entities has been identified (SentinelOne, Barracuda). Organizations in the retail, logistics, technology, and industrial sectors in the UK, US, and Australia should treat DragonForce as an active threat as of May 2026.
The April-May 2025 UK retail campaign is DragonForce's most consequential documented operation to date. Marks & Spencer's network was penetrated as early as February 2025; encryptors targeting VMware ESXi hosts were deployed in April 2025. Co-op confirmed exposure of over 10,000 members' personal data. Harrods restricted internet access after a claimed breach. The combined M&S and Co-op incidents were classified by the Cyber Monitoring Centre as a single combined cyber event with financial impact of £270M to £440M.
M&S confirmed to a UK Parliamentary committee on July 8, 2025 that the attack was DragonForce ransomware, deployed by actors "loosely aligned" with Scattered Spider. Initial access was obtained via social engineering against TCS (Tata Consultancy Services), the contractor running M&S's IT helpdesk. The Scattered Spider/DragonForce combination reflects the cartel's value proposition: access specialists (Scattered Spider) can partner with DragonForce infrastructure for payload delivery and extortion management.
Law Enforcement and Regulatory Response
The UK National Crime Agency (NCA) announced on July 10, 2025 the arrest of four individuals in connection with the cyberattacks on Marks & Spencer, Co-op, and Harrods. The arrests were made in West Midlands and London. Suspects were arrested on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. Electronic devices were seized for forensic analysis. The NCA did not publicly name the "organized crime group," but reporting links the suspects to Scattered Spider / The Com rather than to DragonForce core operators.
| Detail | Information | Source |
|---|---|---|
| Arrest date | July 10, 2025 | NCA (CONFIRMED) |
| Number arrested | 4 | NCA (CONFIRMED) |
| Ages / demographics | Two aged 19, one aged 17, one woman aged 20 | NCA (CONFIRMED) |
| Named suspects (Krebs reporting) | Owen David Flowers (aliases: bo764, Holy, Nazi); Thalha Jubair (aliases: Earth2Star, Operator) — both 19-year-olds; Jubair also alleged former LAPSUS$ core member and Doxbin administrator | Krebs on Security (CREDIBLE, single source) |
| Charges | Computer Misuse Act offenses, blackmail, money laundering, organized crime participation | NCA (CONFIRMED) |
| Infrastructure seized | None; DragonForce DLS and operations continue | CONFIRMED |
There are no publicly disclosed indictments, US or EU court documents, or OFAC/OFSI sanctions dedicated to DragonForce core operators as of May 2026. No FBI/CISA joint advisory, UK NCSC dedicated advisory, or Europol action targeting DragonForce specifically has been issued. DragonForce has not received the "Tier-1" law enforcement focus that LockBit or REvil attracted prior to their disruptions.
Approximately a dozen total Scattered Spider members have been arrested in the eighteen months preceding May 2026 across multiple law enforcement operations. This pressure on the Scattered Spider access layer may affect DragonForce's most capable affiliate channel but leaves the cartel infrastructure intact.
Attribution and State Nexus
DragonForce's ransomware operations are unambiguously profit-motivated. Ransom monetization is the operational center of gravity. No pattern of politically motivated targeting, ideological messaging aligned with state interests, or gratuitous destruction inconsistent with financial incentives has been documented.
No confirmed organizational relationship between DragonForce and Russian intelligence services (FSB, SVR, GRU) exists in open sources. However, several indicators constitute a credible (low-confidence) CIS nexus signal:
Mandiant (Google Threat Intelligence Group) reported that threat actors used TTPs consistent with UNC3944 (Scattered Spider) in the UK retail attacks, deploying DragonForce ransomware. This is a use relationship (Scattered Spider affiliates using DragonForce infrastructure), not an organizational merger. Mandiant has not formally attributed the UK retail intrusions to Scattered Spider; the characterization is "tactics consistent with." CrowdStrike, Microsoft, and Fenix24 reportedly assessed Scattered Spider involvement based on the M&S investigation; Google TIG stated it had not independently confirmed Scattered Spider attribution.
Practically: Scattered Spider's social engineering capabilities and native English fluency complement DragonForce's infrastructure and payload delivery, creating a potent combined capability against Western enterprises. The cartel model explicitly facilitates this type of partnership without requiring formal membership.
Trajectory Assessment
The following cluster relationships are assessed with two-tier confidence (anchor relationship / extension claims):
| Group | Relationship | Anchor Confidence | Extension Confidence | Vendor Coverage |
|---|---|---|---|---|
| Scattered Spider / UNC3944 | Access affiliate; used DragonForce payloads in UK retail campaign | CREDIBLE (Mandiant, CrowdStrike, M&S Parliamentary testimony) | CREDIBLE (ongoing use relationship plausible given cartel model) | Mandiant, Bridewell, Acronis, Realize Security; Google TIG does not formally confirm attribution |
| RansomHub | DragonForce claimed RansomHub April 2025 after RansomHub went dark April 1; sub-brand portal created | CONFIRMED (The Hacker News, Barracuda, GuidePoint, Sophos) | CREDIBLE (displaced affiliates migrating to DFRC sub-brands) | Sophos, Barracuda, GuidePoint, CyberExpress; RansomHub "Koley" disputes hostile takeover framing |
| RansomBay | First documented white-label sub-brand; former RansomHub affiliate operating on DragonForce infrastructure | CONFIRMED (Barracuda, RansomLook) | N/A (sub-brand, not separate group) | Barracuda, RansomLook |
| BlackLock | Rival defaced within 24 hours of DFRC cartel announcement (March 2025) | CONFIRMED (Secureworks, The Hacker News) | ANALYST INFERENCE (hostile relationship; BlackLock affiliation with DFRC not assessed) | Secureworks, Sophos, The Hacker News; Mandiant, Recorded Future have not published formal assessment |
| DragonForce Malaysia | Possible founding relationship or shared personnel; contested | CREDIBLE LOW (naming overlap, timing, some targeting overlap) | CREDIBLE LOW (DFM denies; no technical link established) | WatchGuard, Barracuda, SOCRadar note the linkage hypothesis; SentinelOne, Barracuda note counter-evidence |
The structural change in March 2025 was an expansion, not a rebrand or exit. DragonForce has not gone dark, changed names, or shown infrastructure shutdown signals. The cartel model actively absorbs displaced affiliates from disrupted groups (RansomHub, BlackLock), which strengthens rather than weakens the operation over time. The March 2025 pivot is explicitly designed to be resilient to the kind of single-brand takedowns that disrupted LockBit and ALPHV.
- Victim growth trajectory: 82 (Aug 2024) to 363+ (late 2025) represents more than a fourfold increase in approximately fifteen months. The growth rate accelerated post-cartel announcement.
- Capability evolution: Multi-platform payload coverage (Windows, Linux, ESXi, BSD, NAS), cross-industry targeting including OT/ICS environments, and documented social engineering partnerships indicate ongoing capability development.
- Model innovation as resilience: White-label cartel structure specifically decouples the operational brand from infrastructure, reducing the enforcement leverage that dismantled LockBit. This is an adaptive response to the LE disruption model.
- LE pressure level: Four arrests (July 2025) targeting peripheral actors (Scattered Spider affiliates), not core operators. Infrastructure intact. Current LE pressure level: moderate (elevated investigation, no takedown).
- Competitive dynamics: DragonForce's aggressive rival targeting (BlackLock defacement, RansomHub absorption) reflects an intent to consolidate market share. If successful, this concentrates more ransomware affiliate activity under a single infrastructure, increasing overall attack volume.
Recent Reporting LIVE
Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.