DragonForce entered 2026 as one of the most structurally interesting threats in the ransomware ecosystem — not because of technical novelty, but because of a deliberate business model evolution that positions them less as a ransomware group and more as infrastructure provider to the criminal market. Understanding DragonForce in 2026 means understanding how the cartel model changes the threat picture for defenders.
From RaaS to “Cartel”
DragonForce first emerged as a ransomware-as-a-service operation in late 2023, offering affiliates a standard split-revenue model and a Linux/Windows/ESXi-compatible payload. In 2025 they announced what they called a “cartel” evolution: rather than operating only their own payload, they began offering other ransomware operators access to their backend infrastructure — leak site hosting, negotiation portals, payment processing, and victim management tooling — in exchange for a portion of proceeds.
The practical effect is consolidation in the criminal market. Smaller operators who might previously have stood up independent infrastructure now rent DragonForce’s instead. This makes attribution harder (multiple groups sharing infrastructure appear linked when analysed solely on infrastructure indicators) and increases operational resilience — individual operator takedowns do not disrupt the underlying cartel infrastructure.
In Q2 2026, DragonForce and another group called Lamashtu each claimed 11 new victims, placing them among the most active operators by victim count. DragonForce’s data analysis service — announced in late 2025 — gives affiliates tooling to rapidly search and index exfiltrated data, reducing the manual effort required to produce credible leak threats and accelerating the extortion timeline.
Technical Profile: EDR Killer TTPs
DragonForce affiliates have been consistently observed deploying EDR killers before payload execution. The technique has evolved through several generations:
Generation 1 (2023–early 2024): Classic BYOVD using well-known vulnerable drivers (RTCore64, gdrv.sys, Gigabyte’s vulnerable kernel module). Detected reliably by modern EDR with driver blocklists.
Generation 2 (2024–2025): Abuse of legitimate security tooling — specifically, the RogueKiller Anti-Rootkit Driver. RogueKiller is a benign tool; its driver is signed and not on blocklists. DragonForce loaded it and then abused its IOCTL interface to terminate EDR processes by PID. This technique initially evaded many vendor blocklists because the driver itself is legitimate.
Generation 3 (2025–2026): Driverless EDR killing via script-based abuse of legitimate anti-rootkit and process manipulation APIs. Groups including DragonForce, RansomHouse, and MedusaLocker have been observed using commercial EDR killers sourced from underground markets — pre-built tools that abstract the underlying technique and are updated frequently to evade detection.
The common thread: the EDR kill step happens before encryption, and often before any ransomware payload is written to disk. By the time the encryptor executes, the defensive tooling that would detect it is already offline.
2026 Targeting Profile
DragonForce’s most high-profile 2026 operations targeted UK retail organisations, including two major retail chains with significant consumer data holdings. The retail sector is attractive for several reasons: high volumes of payment card data command strong extortion leverage; retail operations are highly downtime-sensitive (a distribution centre shutdown directly affects revenue); and retail security teams are frequently under-resourced relative to financial services peers.
Beyond retail, DragonForce affiliates have been active across healthcare, manufacturing, and professional services. Sector selection appears largely affiliate-driven — individual affiliates bring their own access and sector knowledge; the DragonForce cartel supplies infrastructure.
Initial access in attributed campaigns has followed consistent patterns:
- FAKEUPDATES (SocGholish) infections used as a beachhead, enabling DragonForce and RansomHub affiliates to take over existing access sold by initial access brokers
- Compromised VPN credentials for organisations without MFA on remote access
- Exploitation of internet-facing appliances — edge devices and VPN concentrators — consistent with broader 2026 trends
Negotiation Patterns
DragonForce maintains a victim portal with a countdown timer and a multi-stage extortion model:
- Initial demand posted within 24–48 hours of first contact, typically 3–10x the likely actual settlement
- Proof-of-data samples published to the leak site to increase pressure
- Countdown to partial release — DragonForce publishes subsets of data as deadlines pass, creating escalating public pressure
- Full release or sale if no payment — in some cases, DragonForce affiliates have sold data to third parties rather than simply publishing
Average ransom amounts in DragonForce campaigns reported in 2025–2026 range from £500K to £12M for mid-market targets, with larger enterprises seeing higher demands. Payment rates among organisations that engage in negotiation are reported as broadly in line with the wider market (~40–50% of demanded amounts).
Detection and Response Priorities
For defenders watching for DragonForce intrusions:
- Monitor for FAKEUPDATES/SocGholish JavaScript execution patterns —
wscript.exeormshta.exespawning from browser processes, execution of obfuscated JavaScript from temp directories - Alert on kernel driver service creation (see SOC Analyst Hub’s BYOVD detection guide) — DragonForce’s EDR kill step is detectable if you have coverage before it completes
- Watch for bulk staging activity to uncommon directories (e.g.,
C:\ProgramData\[random]) andvssadmin delete shadows /all— shadow copy deletion immediately precedes encryption in the vast majority of campaigns - Monitor for ViperTunnel (Python-based backdoor associated with DragonForce operations) — communicates over encrypted channels to attacker-controlled infrastructure; look for Python processes establishing persistent outbound connections on non-standard ports
MITRE ATT&CK coverage to verify:
- T1562.001 (Impair Defenses: Disable or Modify Tools) — EDR killer stage
- T1490 (Inhibit System Recovery) — shadow copy deletion
- T1486 (Data Encrypted for Impact) — encryption stage
- T1567.002 (Exfiltration Over Web Service) — data staging and exfiltration
- T1021.002 (Remote Services: SMB/Windows Admin Shares) — lateral movement
The cartel model means DragonForce TTPs will appear under multiple affiliate identities. Focus detection on the common technical behaviours rather than trying to attribute to a specific operator name.