What started as a hacktivist movement has now become one of the most financially motivated and dangerous ransomware operations targeting high-profile businesses across the globe. The group in question? DragonForce. Once associated with political causes, DragonForce has evolved into a full-blown cyber-extortion cartel. And recently, they've set their sights on UK high street retailers, disrupting giants like Harrods, Marks and Spencer, and the Co-Op, paralyzing everything from payments and payroll to inventory management. Here’s what you need to know. The Origins of DragonForce DragonForce emerged in 2023, with roots in Malaysia and a mission that initially looked more like cyberactivism than crime. Early on, the group’s messaging aligned with pro-Palestinian narratives, but things changed fast. Ideology took a backseat to income, and DragonForce quickly became a financially motivated cybercrime outfit. Their new model? A hybrid of hacktivism and ransomware-as-a-service (RaaS), blending political cover with aggressive monetization. Victims now face not just data theft, but multi-layered extortion threats, public shaming, and complete business disruption. A Hit List That Keeps Growing In addition to the UK retailers now scrambling to recover, DragonForce has also hit: Honolulu’s public transport system The Government of Palau Coca-Cola Singapore Yakult Australia The Ohio State Lottery The group shows no discrimination in targets, from governments to global corporations to law firms and even healthcare providers. If you have valuable data or a functioning payment system, you're a potential mark. How They Get In DragonForce isn’t reinventing the wheel, they’re just really good at using what’s already broken. Their entry methods include: Phishing campaigns Exploiting public-facing infrastructure with known vulnerabilities Credential stuffing attacks RDP brute force and VPN flaws They often use tools like Cobalt Strike, Mimikatz, Advanced IP Scanner, and PingCastle to pivot and maintain access. They’re also known to deploy SystemBC, a malware platform used to build encrypted tunnels through infected networks. They favor high-impact vulnerabilities like: CVE-2021-44228 (Log4j “Log4Shell”) CVE-2024-21412 (SmartScreen bypass) CVE-2024-21887 and CVE-2024-21893 (Ivanti Connect Secure flaws) In short: if your patch management and access controls aren’t airtight, DragonForce will find a way in. The Ransomware Arsenal DragonForce initially piggybacked off leaked LockBit 3.0 code. But they’ve now forked and enhanced their ransomware payloads using codebases from Conti v3, bringing faster encryption methods like ChaCha8 into their builds. Each affiliate can create ransomware variants tailored for different systems like Windows, Linux, VMware ESXi, and even NAS devices. Affiliates can customize the behavior of these payloads, from delay timers to file targeting preferences, and manage campaigns via a slick internal portal. Command-line options allow attackers to adjust verbosity, delays, encryption modes, and paths. It’s not just plug-and-play malware, it’s full-blown ransomware DevOps. Exfiltration & Monetization Data theft happens before encryption. Attackers often exfiltrate sensitive data using MEGA, WebDAV, SFTP, and other common transfer methods. The affiliate model is strong: affiliates keep 80% of ransom proceeds, while DragonForce takes a 20% cut for infrastructure and malware support. That’s where RansomBay comes in, DragonForce’s branded data leak portal, complete with white-label branding services for operators who want to appear independent. Not Just a Threat. An Ecosystem. DragonForce isn’t just launching attacks. They’re building a platform. Their cartel model includes: Affiliate management panels Campaign collaboration features Encryption toolkits Leak site automation Victim communication portals Like AWS for ransomware, DragonForce is turning cybercrime into a franchise opportunity. Defensive Measures SentinelOne and other modern EDR/XDR platforms now detect and prevent DragonForce activity across Windows and Linux systems. Behavioral monitoring, real-time threat hunting, and properly tuned detection rules are essential. But technology alone won’t save you. You need solid incident response plans. Regular tabletop exercises. Network segmentation. Principle of least privilege. And above all... user training. Every unpatched vulnerability and every click on a phishing link is an open door for groups like DragonForce. Final Thoughts DragonForce represents the convergence of ideology, infrastructure, and monetization. Their recent assault on UK retail shows just how far they’ve evolved, from activists to extortionists. In the face of increasingly sophisticated threats, businesses need more than antivirus and firewalls. They need training. Awareness. Real-world simulations. That’s where platforms like wlkthru.io come in! helping companies and individuals spot the tricks, avoid the traps, and build real cyber resilience. Because while ransomware might be evolving, so can we. Train your team. Test your defenses. Stay ready. Visit wlkthru.io and try a real-world phishing simulation today.
