DragonForce Ransomware Group’s Cartel Operations Target 363 Companies Since 2023
Since its inception in December 2023, the DragonForce ransomware group has rapidly ascended to prominence within the cybercriminal ecosystem. Operating under a sophisticated Ransomware-as-a-Service (RaaS) model, DragonForce has strategically branded itself as a cartel, a move designed to consolidate power and attract a broad network of affiliates. This approach not only distinguishes them from traditional cybercriminal enterprises but also underscores their ambition to dominate the RaaS economy.
Strategic Expansion and Recruitment
To bolster their operations, DragonForce actively engages with prominent dark web forums such as BreachForums, RAMP, and Exploit. These platforms serve as recruitment hubs, enabling the group to attract and vet potential affiliates. What sets DragonForce apart is their offering of unique tools like RansomBay, which facilitates customized payload generation, and specialized harassment calling services designed to pressure victims into compliance. By providing comprehensive data analysis support and team coordination tools, DragonForce offers a suite of services that rivals those of legitimate software enterprises, thereby enhancing their appeal to affiliates.
Operational Impact and Targeting
Between December 2023 and January 2026, DragonForce has targeted 363 companies, with a notable peak in December 2025, where 35 victims were published in a single month. This consistent upward trajectory in attack frequency highlights the group’s expanding operational capacity and their intent to scale attacks across a broader range of industries. Their aggressive branding as a cartel not only consolidates their influence but also serves as a recruitment tool, attracting affiliates seeking association with a powerful and organized entity.
Rivalries and Alliances
DragonForce’s operations extend beyond standard attacks; they have actively engaged in adversarial relationships with rival ransomware groups, occasionally launching infrastructure-level attacks against competitors. Conversely, they have also sought alliances to strengthen their position within the cybercriminal ecosystem. This complex web of interactions demonstrates their ambition to not just participate in the market but to dominate the RaaS economy through both cooperation and conflict.
Technical Evolution and Sophistication
Recent technical assessments of DragonForce’s Windows binaries reveal that while core encryption routines and process termination methods remain consistent, significant structural updates have been introduced. The ransomware continues to employ the Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize security processes, ensuring successful encryption. However, the metadata structure appended to encrypted files has undergone modification. The Encryption Ratio field was expanded from one byte to four bytes, increasing the total metadata size to 537 bytes.
Additionally, the latest builder version includes a beta feature called encryption_rules, which allows operators to override encryption modes for specific file extensions. If no specific rule is defined, the malware applies full, partial, or header-based encryption based on the file size. Upon execution, the ransomware decrypts its embedded configuration using the ChaCha8 algorithm before initiating these routines. This new configuration option grants attackers precise control over how different data types are impacted, optimizing the speed and severity of the encryption process based on the victim’s environment.
Conclusion
DragonForce’s rapid ascent and strategic operations underscore the evolving nature of cyber threats. Their cartel-like structure, combined with technical sophistication and aggressive recruitment, positions them as a formidable adversary in the cybersecurity landscape. Organizations must remain vigilant, adopting robust security measures and staying informed about emerging threats to mitigate the risks posed by such advanced ransomware groups.
