DragonForce Ransomware: A Rising Threat to Global Business Security
Since its emergence in late 2023, the DragonForce ransomware group has rapidly become a formidable adversary to organizations worldwide. Operating on a ransomware-as-a-service (RaaS) model, DragonForce provides cybercriminal affiliates with sophisticated tools to execute attacks that encrypt critical data and exfiltrate sensitive information, thereby amplifying the pressure on victims to comply with ransom demands.
Dual-Extortion Tactics
DragonForce employs a dual-extortion strategy, a method that has gained traction among ransomware operators. In this approach, attackers not only encrypt the victim’s data, rendering it inaccessible, but also exfiltrate sensitive information prior to encryption. This stolen data is then used as leverage, with threats to publish it on dark web leak sites if the ransom is not paid. This tactic significantly increases the pressure on organizations to meet the attackers’ demands, as the potential exposure of confidential information can lead to reputational damage, regulatory penalties, and loss of customer trust.
Targeted Industries and Geographical Reach
The group’s operations have predominantly targeted sectors such as manufacturing, business services, technology, and construction. Geographically, the United States, United Kingdom, Germany, Australia, and Italy have reported the highest concentration of DragonForce attacks. This widespread targeting underscores the group’s adaptability and the broad appeal of its RaaS offerings to affiliates seeking to exploit vulnerabilities across various industries and regions.
Technical Sophistication and Multi-Platform Capabilities
DragonForce distinguishes itself through its technical sophistication and versatility. The ransomware is capable of infecting multiple platforms, including Windows, Linux, ESXi, BSD, and NAS systems. This cross-platform capability allows affiliates to target a diverse range of computing environments, increasing the potential impact of their attacks.
The ransomware offers various encryption modes, such as full, header, and partial encryption, along with customizable options for individual files. It also includes a delayed-start feature, enabling attackers to schedule the initiation of the encryption process at specific times, potentially to coincide with periods of reduced monitoring or during critical business operations.
Additional technical features include multithreading capabilities to enhance encryption performance and detailed logging to monitor the encryption process. Notably, DragonForce allows affiliates to perform dry runs without actual encryption, enabling them to test the attack before full deployment. The group provides unlimited storage with dedicated infrastructure monitored continuously, offering free partner services such as professional file analysis and decryption support.
Infection Methods and Defense Evasion
DragonForce employs sophisticated methods to infiltrate and persist within target networks. One notable tactic involves exploiting vulnerabilities in remote monitoring and management (RMM) tools. For instance, the group has been observed leveraging critical vulnerabilities in the SimpleHelp RMM platform to gain unauthorized access through trusted third-party vendors and managed service providers (MSPs). By compromising supplier-controlled RMM infrastructure, attackers can bypass traditional perimeter defenses and exploit the inherent trust between organizations and their service providers.
Once inside the network, DragonForce conducts network reconnaissance by scanning SMB ports within IP ranges to identify vulnerable systems. The ransomware utilizes a mutex identifier originally documented in samples derived from leaked Conti ransomware source code, indicating code reuse from previous malware families. To prevent victims from recovering files from backup snapshots, DragonForce deletes volume shadow copies using Windows Management Instrumentation Command-line (WMIC) commands, specifically executing wmic.exe shadowcopy where ID delete.
Notable Incidents and Impact
DragonForce’s activities have led to significant disruptions and financial losses for various organizations. In early 2025, the group targeted major UK retailers, including Marks & Spencer, Co-op, and Harrods. At Marks & Spencer, attackers infiltrated the network and deployed the DragonForce encryptor against VMware ESXi hosts, encrypting virtual machines that supported e-commerce and payment processing systems. This attack resulted in a five-day suspension of online sales, with estimated daily losses of £3.8 million and a market value drop exceeding £500 million.
Similarly, the Co-op Group confirmed that hackers accessed and extracted customer data, including names and contact information of Co-op members. Although no passwords, bank details, or transaction records were compromised, the breach raised concerns about data privacy and security. Harrods also announced that its systems had been targeted, prompting swift action to contain the breach and limit internet access at its locations as a precautionary measure.
Affiliations and Collaborative Threat Actors
DragonForce’s operations are further complicated by its affiliations with other cybercriminal groups. The group has been linked to Scattered Spider, a network of young, English-speaking hackers who leverage DragonForce’s infrastructure while paying the group a percentage of any ransoms collected. This collaboration enhances the reach and effectiveness of their attacks, combining technical expertise with social engineering tactics to bypass security measures.
For example, Scattered Spider has been observed targeting IT support teams and bypassing multi-factor authentication through social engineering. By impersonating legitimate users and exploiting human vulnerabilities, they gain unauthorized access to systems, which can then be leveraged to deploy DragonForce ransomware.
Recommendations for Mitigation
Given the evolving threat landscape and the sophistication of groups like DragonForce, organizations must adopt comprehensive cybersecurity strategies to mitigate risks. Key recommendations include:
1. Regular Software Updates and Patch Management: Ensure that all systems, especially RMM tools and other critical software, are updated promptly to address known vulnerabilities.
2. Enhanced Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions to identify and mitigate malicious activities promptly.
3. Network Segmentation: Implement network segmentation to limit the spread of ransomware within the organization and protect critical assets.
4. Employee Training and Awareness: Conduct regular training sessions to educate employees about phishing attacks, social engineering tactics, and the importance of strong, unique passwords.
5. Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and coordinated response to ransomware attacks.
6. Data Backup and Recovery: Maintain regular, secure backups of critical data and test recovery procedures to ensure business continuity in the event of an attack.
By implementing these measures, organizations can enhance their resilience against ransomware threats and protect their critical assets from the devastating impact of attacks like those orchestrated by DragonForce.
