Why DragonForce is growing in prominence – with retailer attacks boosting its reputation
The criminal group DragonForce has exploded onto the cybersecurity scene in recent weeks, taking credit for the recent ransomware attacks on UK retail giants M&S and the Co-op.
DragonForce is a ransomware as a service platform which provides malware and attack infrastructure to affiliate groups that are unable to launch large-scale attacks on their own.
Known to support double extortion ransomware attacks, in which attackers not only encrypt data but also threaten to leak sensitive information if ransoms are not paid, the group has been behind a growing number of attacks on enterprises.
ITPro spoke to Giovanni Barbieri, cyber threat intelligence analyst and ransomware expert at Group-IB, to discuss the rise of the group and its tactics.
Barbieri told ITPro that DragonForce was first discovered in September 2023 and is known to have commenced RaaS operations in the summer of 2024. Group-IB included DragonForce on its list of ‘top 10 masked actors’ for this year.
“They promoted this opportunity on the dark web forums, and what is interesting here is in March 2025 they further changed their direction because they still provide ransomware as a service, but they allow affiliates that want to join them to operate with their own brand,” he said.
This is unusual, Barbieri explained, as typically affiliates are required to work under the wider brand of the RaaS operator. In contrast, DragonForce affiliates are allowed to use infrastructure such as its dedicated leak site (DLS) and storage to promote their own brand.
“This proves DragonForce is interested in expanding its operations – and this could also lower the barrier for entrance in ransomware operations for threat actors who are less sophisticated, don’t have the capabilities, or don’t want to manage the infrastructure.”
Between January to March 2024, DragonForce disclosed 32 victims on its leak site, compared to 58 over the same period in 2025. Barbieri warned this shows its affiliate program is working and that many hacking groups are looking to use its services.
He added that DragonForce is a group to watch, particularly as competing RaaS platforms such as RansomHub are allegedly shutting down, as well as for its unique approach to attracting affiliates.
One of the most appealing factors of working with DragonForce, from an affiliate’s point of view, is that it only asks for a 20% cut of the profit from attacks.
“I think also that the current news will increase their reputation, probably, and incentivize other groups to join them,” he said.
DragonForce: Who and how?
Details about DragonForce’s attack methodology are only just emerging. In a blog post, Group-IB noted the operator uses a variant of the LockBit ransomware strain, as well as another drawn from Conti, alongside legitimate tools such as Cobalt Strike and the botnet malware SystemBC.
It is known to use the bring your own vulnerable driver (BOYVD) technique, in which legitimate drivers that contain known vulnerabilities are added to a target’s network. Because they come with the correct signatures, the drivers are often not flagged as malicious and are then exploited by the attackers to disable critical processes, including security systems.
As DragonForce’s operations grow, it could become harder for defenders to identify precise attack vectors and indicators of compromise associated with the platform. This is partly due to the degree of customization it offers affiliates with regard to the strains they deploy.
DragonForce’s exact location is still unknown. Group-IB noted the group has some links to the hacktivist group DragonForce Malaysia but nothing concrete. However, Barbieri pointed out that its rule against attacking countries in the Commonwealth of Independent States – former Soviet states including Russia, Belarus, and Armenia – could hint at its origins.
This is just a theory at present, with more research into the operator needed before any hard conclusions can be drawn about the people behind it.
In the meantime, Barbieri warned that ransomware continues to be a major concern for all organizations, pointing to the recent retail attacks as examples of how financially damaging cyber attacks can be.
He cautioned against paying ransoms, warning that this is only a short-term solution.
“The advice is always not to pay because first of all, paying you are financing the cyber crime, you are financing the ransomware as a service, you are paying for their infrastructure and with your money they can improve their technology and their capabilities,” he said.
“And also if you pay, the word that you paid could be spread among other ransomware groups so you could become a target because you are a company that has already paid – and could pay in other cases.”
MORE FROM ITPRO
Source link
