Introduction
Since its emergence in late 2023, DragonForce has rapidly evolved into a formidable ransomware operation, posing significant threats across various sectors. Operating under a Ransomware-as-a-Service (RaaS) model, the group has demonstrated remarkable adaptability by leveraging leaked ransomware builders from notorious families like LockBit 3.0 and Conti. This approach has enabled them to customize attack variants effectively, targeting high-profile victims such as the Ohio Lottery, the government of Palau, and major UK retailers like Marks & Spencer. DragonForce’s operations blend advanced technical capabilities with professional business practices, offering affiliates up to 80% of ransom payments while providing comprehensive attack infrastructure and support services.
Evolution and Business Model
DragonForce first appeared in December 2023 with the launch of their DragonLeaks dark web portal, quickly establishing themselves as a significant player in the ransomware ecosystem. Initially, the group utilized the leaked LockBit 3.0 (Black) builder, allowing rapid deployment of effective ransomware without developing complex encryption mechanisms from scratch. In July 2024, they introduced a second variant based on the Conti V3 codebase, providing affiliates with enhanced customization capabilities. This dual-variant approach underscores the group’s technical sophistication and commitment to offering diverse attack options.
Their business model reflects modern cybercrime trends, offering a comprehensive platform that includes attack management tools, automated features, and customizable builders. Affiliates can tailor ransomware samples by disabling targeted security features, configuring encryption parameters, and personalizing ransom notes. In early 2025, DragonForce expanded its offerings by introducing a white-label ransomware service, enabling affiliates to rebrand payloads under alternative names for additional fees.
Attack Vectors and Initial Access Techniques
DragonForce employs multiple sophisticated vectors to achieve initial access to target networks, demonstrating a deep understanding of diverse organizational vulnerabilities.
– Phishing Campaigns: The group crafts convincing spear-phishing emails containing malicious attachments or links that deploy ransomware payloads when executed by unsuspecting users. These campaigns often target specific individuals within organizations, utilizing social engineering techniques to increase success rates.
– Exploitation of Known Vulnerabilities: DragonForce actively targets unpatched systems, exploiting several high-impact vulnerabilities, including:
– CVE-2021-44228 (Log4Shell)
– CVE-2023-46805 (Ivanti Connect Secure Authentication Bypass)
– CVE-2024-21412 (Microsoft Windows SmartScreen Bypass)
– CVE-2024-21887 (Ivanti Connect Secure Command Injection)
– CVE-2024-21893 (Ivanti Connect Secure Path Traversal)
– Remote Access Exploitation: The group systematically targets organizations with poorly secured remote access infrastructure, leveraging stolen or weak credentials to establish a persistent network presence.
– Trusted Relationships: DragonForce exploits trusted relationships, as demonstrated in incidents where attackers gained access through remote management software installed by previous hosting companies that were never properly removed.
– Managed Service Provider (MSP) Compromise: In some cases, operators have gained initial access by exploiting compromised MSP relationships, allowing lateral movement across multiple client environments through trusted connections.
– Remote Desktop Protocol (RDP) and VPN Attacks: The group conducts credential stuffing and brute-force attacks against exposed services to gain unauthorized access.
Tactics, Techniques, and Procedures (TTPs)
DragonForce’s operational methodology aligns with the MITRE ATT&CK framework, demonstrating a sophisticated understanding of enterprise network compromise techniques. Key tactics include:
– Initial Access:
– Exploiting public-facing applications (T1190)
– Using valid accounts (T1078)
– Spear-phishing attachments (T1566.001)
– Spear-phishing via service (T1566.003)
– Exploiting trusted relationships (T1199)
– Execution:
– Malicious file execution (T1204.002)
– PowerShell usage (T1059.001)
– Scheduled tasks/jobs (T1053.005)
– Persistence:
– Services file permissions weakness (T1574.011)
– Scheduled tasks/jobs (T1053.005)
– Registry run keys/startup folder modifications (T1547.001)
– Privilege Escalation:
– Access token manipulation (T1134)
– Exploitation for privilege escalation (T1068)
– Defense Evasion:
– Obfuscated files or information (T1027)
Notable Incidents
DragonForce has been linked to several high-profile attacks:
– UK Retailers: In early 2025, the group targeted major UK retailers, including Marks & Spencer, Co-op, and Harrods. These attacks caused significant operational disruptions and financial losses, marking one of the most substantial cyber campaigns against British retail in recent history.
– MSP Exploitation: Cybercriminals leveraged critical vulnerabilities in remote monitoring software to breach a managed service provider and attack multiple customers. This supply chain compromise involved exploiting vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to deploy DragonForce ransomware across multiple organizations.
– DEVMAN Ransomware Variant: A new ransomware variant identified as DEVMAN emerged from the DragonForce RaaS ecosystem, targeting both Windows 10 and Windows 11 systems. This hybrid malware combines the established DragonForce codebase with unique modifications, creating distinct operational signatures.
Conclusion
DragonForce’s rapid evolution and sophisticated operational model underscore the growing complexity of ransomware threats. Their ability to adapt tactics, exploit vulnerabilities, and offer customizable tools to affiliates highlights the need for organizations to implement robust cybersecurity measures. Continuous monitoring, timely patching of vulnerabilities, employee training on phishing tactics, and securing remote access points are critical steps in defending against such advanced threats.
