DragonForce Cartel Emerges from Leaked Source Code
In the ever-evolving landscape of cyber threats, a formidable entity has surfaced, leveraging leaked source code to orchestrate a series of high-profile ransomware attacks. This group, known as DragonForce, has rapidly ascended to prominence, targeting major organizations across various sectors and geographies.
Origins and Evolution
DragonForce first appeared in December 2023 with the launch of their DragonLeaks dark web portal, quickly establishing themselves as a formidable player in the ransomware ecosystem. The group’s origins trace back to possible connections with DragonForce Malaysia, a hacktivist collective, though the current operation has evolved into a purely profit-driven enterprise. By 2025, DragonForce has matured into a sophisticated Ransomware-as-a-Service (RaaS) platform that attracts both displaced affiliates from dismantled ransomware operations and freelance threat actors seeking robust infrastructure. The organization operates two distinct ransomware variants based on leaked source code from established families. Their initial variant utilized the leaked LockBit 3.0 (Black) builder, allowing them to rapidly deploy effective ransomware without developing complex encryption mechanisms from scratch. In July 2024, DragonForce introduced a second variant based on the Conti V3 codebase, providing affiliates with enhanced customization capabilities. This dual-variant approach demonstrates the group’s technical sophistication and commitment to providing affiliates with diverse attack options. The group’s business model reflects modern cybercrime trends, offering a comprehensive platform that includes attack management tools, automated features, and customizable builders. Affiliates can tailor ransomware samples by disabling targeted security features, configuring encryption parameters, and personalizing ransom notes. In early 2025, DragonForce expanded its offerings by introducing a white-label ransomware service, enabling affiliates to rebrand payloads under alternative names for additional fees. ([cybersecuritynews.com](https://cybersecuritynews.com/dragonforce-ransomware-attack/?utm_source=openai))
Operational Tactics and Techniques
DragonForce employs sophisticated technical mechanisms that enable persistent access and comprehensive system compromise. The group exploits multiple critical vulnerabilities, including CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893, to establish initial footholds in target networks. Their persistence strategy heavily relies on Living Off the Land techniques, leveraging legitimate executables such as Schtasks.exe and Taskkill.exe to maintain access while avoiding detection. The ransomware’s encryption capabilities span multiple platforms, with specialized variants for Windows, Linux, ESXi, BSD, and NAS systems. Their encryptors support various encryption modes, including band-pass, percentage, header, and normal encryption, with multithreading capabilities for enhanced performance. ([cybersecuritynews.com](https://cybersecuritynews.com/dragonforce-ransomware-claimed/?utm_source=openai))
Notable Incidents
DragonForce has been linked to several high-profile attacks, particularly in the retail sector. In early 2025, the group claimed responsibility for breaches at major UK retailers, including Marks & Spencer, Co-op, and Harrods. These attacks caused significant operational disruptions and financial losses, marking one of the most substantial cyber campaigns against British retail in recent history. The group’s ability to infiltrate and encrypt critical systems underscores the growing sophistication and reach of ransomware-as-a-service operations targeting high-profile commercial enterprises. ([cybersecuritynews.com](https://cybersecuritynews.com/dragonforce-ransomware-hits-harrods-marks-and-spencer/?utm_source=openai))
Affiliate Model and Cartel Structure
DragonForce’s operational methodology centers around a dual-extortion strategy where attackers encrypt victims’ data while simultaneously threatening to release exfiltrated information if ransom demands are not met. Rather than developing proprietary encryption tools, DragonForce has leveraged leaked ransomware builders from established groups, demonstrating the interconnected nature of modern cybercriminal ecosystems. The group operates under what it terms a cartel operation model, whereby interested actors may create their own brand and launch attacks using DragonForce’s infrastructure, tools, and resources, including access to their data leak site. This approach differs slightly from traditional RaaS models by allowing affiliates to adopt their own names rather than operating exclusively under the DragonForce banner. ([cybersecuritynews.com](https://cybersecuritynews.com/dragonforce-ransomware-group/?utm_source=openai))
Advanced Evasion and Persistence Mechanisms
DragonForce’s most concerning technical advancement lies in its sophisticated evasion capabilities that combine multiple layers of defense circumvention. The malware employs intermittent encryption patterns that make detection significantly more challenging for traditional security solutions. Rather than encrypting files in predictable sequences, the ransomware utilizes randomized encryption intervals that can evade behavior-based detection systems relying on consistent file modification patterns. The group has integrated the Bring Your Own Vulnerable Driver (BYOVD) technique to disable EDR and XDR protection systems at the kernel level. ([cybersecuritynews.com](https://cybersecuritynews.com/dragonforce-ransomware-empowers-affiliates-with-modular-toolkit/?utm_source=openai))
Conclusion
The emergence of DragonForce from leaked source code exemplifies the dynamic and adaptive nature of cyber threats in the modern era. By leveraging existing tools and adopting innovative operational models, DragonForce has established itself as a significant player in the ransomware landscape. Organizations must remain vigilant, implementing robust cybersecurity measures and staying informed about evolving threats to protect against such sophisticated adversaries.
