Overview
DragonForce emerged in 2023 as a Malaysian hacktivist group conducting politically motivated web defacements and DDoS attacks targeting Israeli-linked organisations during the Gaza conflict. By 2024, the group had pivoted decisively toward financially motivated ransomware operations. In 2026, DragonForce operates as a full RaaS platform — consistently ranking among the top three most prolific ransomware operators by victim volume globally, trailing only Qilin and competing with The Gentlemen for second position.
The evolution from hacktivism to organised crime is not unprecedented, but DragonForce’s trajectory has been unusually rapid and well-documented. The group’s technical capabilities, affiliate recruitment approach, and victim targeting have all professionalised to match the leading RaaS operations it now competes with.
The White-Label RaaS Model
DragonForce’s most notable strategic differentiator is its white-label RaaS offering, announced in 2024 and now a significant component of its affiliate ecosystem. Unlike conventional RaaS programmes — where affiliates operate under the primary brand and use the main leak site — DragonForce offers affiliates the option to operate entirely under their own branding. Affiliates receive:
- The DragonForce encryptor and decryptor binaries
- A fully customisable leak site with their own domain and branding
- The ransom negotiation portal infrastructure
- Backend payment processing and cryptocurrency management
From the victim’s perspective, they are being extorted by “AcmeCorp Ransomware” or whatever name the affiliate has chosen — with no visible connection to DragonForce. The group takes a revenue share while providing infrastructure and tooling.
This model creates attribution complexity for incident responders and threat intelligence teams: a DragonForce-powered attack may not be identified as DragonForce at all unless the encryptor binary is analysed. It also provides affiliates with plausible deniability and insulation from attribution.
Technical Profile
DragonForce’s encryptor is based on a heavily modified version of the leaked LockBit 3.0 (“Black”) source code, with additional modifications to evasion, file targeting, and ransom note delivery. Key characteristics:
Encryption: ChaCha20 symmetric encryption with RSA-4096 key exchange. Partial file encryption on files above a configurable size threshold (typically 1MB) — a deliberate performance optimisation to maximise the number of files encrypted before detection.
Targeting: The encryptor enumerates all drives including network shares. It terminates a configurable list of processes and services before encryption (database services, backup agents, security products) using a batch of taskkill and net stop commands.
ESXi variant: DragonForce maintains a dedicated Linux encryptor targeting VMware ESXi hypervisors. The ESXi variant uses a shell script wrapper to stop all running VMs via esxcli vm process list before encrypting .vmdk, .vmx, .vmxf, .vmsd, and snapshot files.
Anti-analysis: String obfuscation, API hashing, and execution checks (sandbox detection via timing attacks and CPUID queries) are present in recent samples.
Persistence: Affiliates typically deploy DragonForce payloads in the final stage of intrusions lasting 5-14 days, with prior focus on data exfiltration (double extortion). The encryptor itself does not establish persistence — it runs once and exits.
Observed TTPs
DragonForce affiliates have used varied initial access methods, consistent with the group sourcing access from multiple IAB ecosystems:
Initial access:
- Exploitation of VPN and remote access appliance vulnerabilities (Fortinet, Citrix, and Ivanti appliances have all featured)
- Purchased RDP credentials from initial access brokers
- Phishing campaigns delivering infostealers (Raccoon, RedLine) followed by credential abuse
- Exploitation of public-facing applications (web application vulnerabilities, public-facing admin panels)
Post-compromise:
- Heavy use of legitimate tools (AnyDesk, Atera, ScreenConnect) for persistent remote access
- Cobalt Strike and Brute Ratel C4 for C2
- ADExplorer, BloodHound/SharpHound for Active Directory enumeration
- Rclone for bulk data exfiltration to MEGA or attacker-controlled cloud storage
- Disabling of VSS (Volume Shadow Copy) and backup agents before encryption
Victim Profile and Statistics
In 2026, DragonForce’s publicly disclosed victim volume places it among the top three global ransomware operators. Victim statistics from the group’s primary leak site and white-label affiliate sites (where attributable) show:
- Retail sector: The group gained international attention for the March 2025 Marks & Spencer intrusion (attributed in post-incident analysis) and the concurrent Co-op and Harrods attacks — a coordinated campaign against UK luxury and high-street retail that caused significant operational disruption and an estimated combined impact exceeding £700 million.
- Government and critical infrastructure: Multiple regional government bodies across Southeast Asia, Australia, and Europe
- Manufacturing and industrial: Automotive parts suppliers, chemical manufacturers, food processing
- Financial services: Regional banks and payment processors across the Middle East and Asia-Pacific
Average ransom demands are in the £500,000–£2.5 million range for mid-market victims, scaling to eight figures for large enterprise targets.
The UK Retail Attacks
The spring 2025 campaign against UK retailers — M&S, Co-op, and Harrods — brought DragonForce to the attention of the UK public and government in a way that few ransomware incidents achieve. The attacks disrupted in-store payment systems, online ordering, and supply chains. M&S took online sales offline for an extended period; the company subsequently disclosed that data was exfiltrated.
NCSC and the NCA conducted joint investigation. The attack vector — social engineering of IT helpdesks to reset MFA and gain initial access — is assessed to be consistent with the tactics of Scattered Spider (UNC3944), an English-speaking affiliate operating DragonForce tooling. This illustrates the complexity of attribution in the white-label model: the tooling is DragonForce, the intrusion methodology may be an affiliate with entirely different origins.
YARA Detection
rule DragonForce_Ransomware_Encryptor {
meta:
description = "Detects DragonForce ransomware encryptor based on known string patterns"
author = "Ransomware Tracker"
date = "2026-06-12"
reference = "DragonForce RaaS encryptor analysis"
strings:
$ransom_note = "DRAGONFORCE_README" ascii wide nocase
$ext_pattern = ".dragonforce_encrypted" ascii
$mutex = "DragonForce_Locker" ascii wide nocase
$shadow_cmd = "vssadmin delete shadows /all /quiet" ascii nocase
$esxi_str = "esxcli vm process list" ascii nocase
// LockBit 3.0 heritage markers (modified)
$lb3_heritage = { 48 8B 05 ?? ?? ?? ?? 48 85 C0 74 ?? FF D0 }
condition:
uint16(0) == 0x5A4D and
(2 of ($ransom_note, $ext_pattern, $mutex) or
all of ($shadow_cmd, $lb3_heritage))
}
Defensive Recommendations
Given DragonForce’s documented initial access vectors and affiliate TTPs:
-
VPN and remote access appliances: Patch on the same business day as vendor advisories for remote access products. DragonForce affiliates have demonstrated rapid operationalisation of newly disclosed vulnerabilities.
-
MFA resilience: Implement phishing-resistant MFA (FIDO2/passkeys) rather than TOTP or SMS for admin accounts. The UK retail attacks exploited SMS/voice MFA via helpdesk social engineering.
-
IT helpdesk identity verification: Implement out-of-band verification procedures for any helpdesk request that would reset or bypass MFA. Video identification or pre-registered callback numbers are more resistant to social engineering than knowledge-based verification.
-
VSS protection: Monitor for
vssadmin delete shadowscommands — this is consistently executed in the 30-60 minutes before DragonForce encryption begins and provides a last-chance detection opportunity. -
Backup isolation: Maintain offline or immutable backups that cannot be reached by domain-authenticated accounts. DragonForce affiliates specifically target and destroy backup infrastructure before executing encryption.