DragonForce entered 2026 as one of the most structurally interesting threats in the ransomware ecosystem — not because of technical novelty, but because of a deliberate business model evolution that positions them less as a ransomware group and more as infrastructure provider to the criminal market. Understanding DragonForce in 2026 means understanding how the cartel model changes the threat picture for defenders.
From RaaS to “Cartel”
DragonForce first emerged as a ransomware-as-a-service operation in late 2023, offering affiliates a standard split-revenue model and a Linux/Windows/ESXi-compatible payload. In 2025 they announced what they called a “cartel” evolution: rather than operating only their own payload, they began offering other ransomware operators access to their backend infrastructure — leak site hosting, negotiation portals, payment processing, and victim management tooling — in exchange for a portion of proceeds.
The practical effect is consolidation in the criminal market. Smaller operators who might previously have stood up independent infrastructure now rent DragonForce’s instead. This makes attribution harder (multiple groups sharing infrastructure appear linked when analysed solely on infrastructure indicators) and increases operational resilience — individual operator takedowns do not disrupt the underlying cartel infrastructure.
In Q2 2026, DragonForce and another group called Lamashtu each claimed 11 new victims, placing them among the most active operators by victim count. DragonForce’s data analysis service — announced in late 2025 — gives affiliates tooling to rapidly search and index exfiltrated data, reducing the manual effort required to produce credible leak threats and accelerating the extortion timeline.
Technical Profile: EDR Killer TTPs
DragonForce affiliates have been consistently observed deploying EDR killers before payload execution. The technique has evolved through several generations.
The first generation (2023–early 2024) used classic BYOVD with well-known vulnerable drivers (RTCore64, gdrv.sys, Gigabyte’s vulnerable kernel module). Modern EDR with driver blocklists detects this reliably.
The second generation (2024–2025) abused legitimate security tooling — specifically, the RogueKiller Anti-Rootkit Driver. RogueKiller is a benign tool; its driver is signed and not on blocklists. DragonForce loaded it and then abused its IOCTL interface to terminate EDR processes by PID. This technique initially evaded many vendor blocklists because the driver itself is legitimate.
The third generation (2025–2026) moved to driverless EDR killing via script-based abuse of legitimate anti-rootkit and process manipulation APIs. Groups including DragonForce, RansomHouse, and MedusaLocker have been observed using commercial EDR killers sourced from underground markets — pre-built tools that abstract the underlying technique and are updated frequently to evade detection.
The common thread across all generations: the EDR kill step happens before encryption, and often before any ransomware payload is written to disk. By the time the encryptor executes, the defensive tooling that would detect it is already offline.
2026 Targeting Profile
DragonForce’s most high-profile 2026 operations targeted UK retail organisations, including two major retail chains with significant consumer data holdings. The retail sector is attractive for several reasons: high volumes of payment card data command strong extortion leverage; retail operations are highly downtime-sensitive (a distribution centre shutdown directly affects revenue); and retail security teams are frequently under-resourced relative to financial services peers.
Beyond retail, DragonForce affiliates have been active across healthcare, manufacturing, and professional services. Sector selection appears largely affiliate-driven — individual affiliates bring their own access and sector knowledge; the DragonForce cartel supplies infrastructure.
Initial access in attributed campaigns has followed consistent patterns: FAKEUPDATES (SocGholish) infections used as a beachhead, enabling DragonForce and RansomHub affiliates to take over existing access sold by initial access brokers; compromised VPN credentials for organisations without MFA on remote access; and exploitation of internet-facing appliances — edge devices and VPN concentrators — consistent with broader 2026 trends.
Negotiation Patterns
DragonForce maintains a victim portal with a countdown timer and a multi-stage extortion model. The initial demand is posted within 24–48 hours of first contact, typically 3–10x the likely actual settlement. Proof-of-data samples are published to the leak site to increase pressure. DragonForce then publishes subsets of data as deadlines pass, creating escalating public pressure. If no payment follows, some cases see data sold to third parties rather than simply published.
Average ransom amounts in DragonForce campaigns reported in 2025–2026 range from £500K to £12M for mid-market targets, with larger enterprises seeing higher demands. Payment rates among organisations that engage in negotiation are broadly in line with the wider market, at roughly 40–50% of demanded amounts.
Detection and Response Priorities
Monitor for FAKEUPDATES/SocGholish JavaScript execution patterns — wscript.exe or mshta.exe spawning from browser processes, and execution of obfuscated JavaScript from temp directories. Alert on kernel driver service creation (BYOVD detection is covered in the SOC Analyst Hub guide) — DragonForce’s EDR kill step is detectable if coverage is in place before it completes. Watch for bulk staging activity to uncommon directories (e.g., C:\ProgramData\[random]) and vssadmin delete shadows /all — shadow copy deletion immediately precedes encryption in the vast majority of campaigns. Monitor for ViperTunnel (Python-based backdoor associated with DragonForce operations) communicating over encrypted channels to attacker-controlled infrastructure; look for Python processes establishing persistent outbound connections on non-standard ports.
MITRE ATT&CK coverage to verify:
- T1562.001 (Impair Defenses: Disable or Modify Tools) — EDR killer stage
- T1490 (Inhibit System Recovery) — shadow copy deletion
- T1486 (Data Encrypted for Impact) — encryption stage
- T1567.002 (Exfiltration Over Web Service) — data staging and exfiltration
- T1021.002 (Remote Services: SMB/Windows Admin Shares) — lateral movement
The cartel model means DragonForce TTPs will appear under multiple affiliate identities. Focus detection on the common technical behaviours rather than trying to attribute to a specific operator name.