In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations.
Background
DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded.
The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage.
Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom.
Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com‘, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
Initial Access Methods
Initial access is typically gained via phishing email along with exploitation of known vulnerabilities; alternatively, attackers may leverage leaked or stolen credentials to access internet-facing devices. Cobalt Strike and other COTS tools are used for campaign management, including the execution of additional payloads and implants.
The DragonForce operators also utilize tools like mimikatz, Advanced IP Scanner, PingCastle, and a plethora of Remote Management tools to drill further into victim environments, ensuring both elevated privileges and persistence.
The group also heavily targets RDP services with credential stuffing attacks and VPN weaknesses to gain initial access into systems.
The following vulnerabilities have specifically been associated with past DragonForce intrusions:
- CVE-2021-44228 – Apache Log4j2 Remote Code Execution (“Log4Shell”)
- CVE-2023-46805 – Ivanti Connect Secure and Policy Secure Authentication Bypass
- CVE-2024-21412 – Microsoft Windows SmartScreen Security Feature Bypass
- CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection
- CVE-2024-21893 – Ivanti Connect Secure and Policy Secure Path Traversal
Additionally, DragonForce operators have been observed deploying the SystemBC backdoor for persistence. SystemBC is a multi-platform proxying malware adopted by numerous threat actors to create SOCKS5 tunnels through victim networks.
Ransomware Payloads
Initially, DragonForce ransomware payloads were based entirely on the leaked LockBit (LockBit 3.0/Black) builder. In common with other hacktivist/RaaS groups, early DragonForce operations relied on leaked code and tools that were readily available. The group has since evolved its own branded ransomware, updating the source and producing a more bespoke offshoot with roots in the Conti v3 codebase.
Basic encryption features and ‘under the hood’ functionality remain unchanged, with AES used for primary file encryption and RSA for securing the keys themselves. More recently built Conti-derived samples use the ChaCha8 algorithm, which is touted as providing improved speed over the AES encryption used in the LockBit derived variants.
DragonForce affiliates are provided a robust set of tools within the affiliate panel for building payloads and managing campaigns. Currently, DragonForce affiliates can build multiple variants of the DragonForce ransomware, tailored to specific platforms including Windows, Linux, EXSi, and NAS-specific encryptors.
Each affiliate has the ability to manage multiple builds per-platform for each victim. When building new payloads, affiliates are able to customize many behavioral aspects of the ransomware, including filenames, appended extensions, additional command line scripts, delayed execution options, process termination configuration, and allow and exception lists for file encryption.
Additionally, DragonForce payloads support multiple command-line options:
| -paths | Force run in file-system search mode |
| -vmsvc | Force run in ESXi vim-cmd discovery mode |
| -n | Do not perform encryption/decryption (file discovery only) |
| -h H -m M -s S | Wait H hours, M minutes, S seconds before starting |
| -e M X Y | Encryption mode M with parameters X and Y |
| -p PATH | Override file-system paths for discovery |
| -l LOGFILE | Override the log-file location |
| -i X | Override the number of threads |
| -q | Disable output to STDOUT |
| -v | Verbose logging |
| -vwi ID | Override list of ignored VMs by ID |
| -vwn NAME | Override list of ignored VMs by name |
DragonForce operators utilize multiple tactics and services for data exfiltration. This includes the use of MEGA, but also Living Off the Land (LOTL) methods like basic WebDAV and SFTP transfers to remote servers.
Additionally, affiliates are able to set up collaborative teams within the DragonForce panel, within which they manage communications with team members and victims, manage payments, build payloads, and adjust overall campaign behavior.
Updated ‘White-label’ Branding
In early 2025, DragonForce introduced a ‘white-label’ branding service that allows affiliates to disguise the DragonForce ransomware as a different strain for an additional fee. This also came alongside the announcement of the RansomBay service and portals. The new RansomBay leak sites have been launched to host data stolen by affiliates of these new, expanded, DragonForce services.
In this offering, DragonForce claims to take a 20% share of successful ransomware payouts, allowing the affiliate to keep 80%. This enables enterprising threat actors to launch seemingly unique ransomware operations, while leveraging DragonForce’s infrastructure and code. For the developers, this offering allows DragonForce to profit from attacks by affiliates without having the brand tied to the attack or specific operators.
This move, along with DragonForce’s push to brand itself as a ‘Ransomware Cartel’, illustrates the group’s desire to raise its profile in the crimeware landscape by enabling an ecosystem. Under this model, DragonForce provides the infrastructure, malware, and ongoing support services while affiliates run campaigns under their own branding. This is similar to moves that operations like RansomHub, Rabbit Hole and Dispossessor have previously attempted. All of this points to DragonForce seriously expanding its goals and operations.
SentinelOne Singularity Platform Protects Against DragonForce Ransomware
The SentinelOne Singularity Platform protects against DragonForce Ransomware and associated malicious behaviors. Ransomware activity on Windows and Linux systems is blocked by SentinelOne’s Behavioral Ransomware Protection, along with the Static Detection Engines, with enhanced detection introduced via a Live Security Update in March 2025. SentinelOne customers can find additional details on Live Security update content in the customer support portal.
In addition to detection via SentinelOne’s real-time endpoint protection capabilities, DragonForce can also be detected by enabling Platform Detection rules (details also available via the customer support portal).
Conclusion
While DragonForce continues to blur the line between hacktivism and financial motivation, its recent targeting suggests the group is increasingly motivated by financial rewards.
Although DragonForce’s large-scale cartel model is not the first of its kind, its current successes and the recent demise of rival operations suggest that it will become increasingly attractive both to orphaned ransomware actors and more resourced groups looking to thrive in an increasingly competitive space.
The wave of attacks against UK businesses in recent weeks highlights the ongoing need for strong cybersecurity practices and policies, along with well-developed incident response procedures. Keeping defenses up to date, properly and efficiently configured is critical. Full and contextual visibility into resources and assets is also key in defending against modern ransomware and extortion operations.
Indicators of Compromise
SHA1 Ransom Notes
343220b0e37841dc002407860057eb10dbeea94d
ae2967d021890a6a2a8c403a569b9e6d56e03abd
c98e394a3e33c616d251d426fc986229ede57b0f
f710573c1d18355ecdf3131aa69a6dfe8e674758
SHA1 Payloads
011894f40bab6963133d46a1976fa587a4b66378
0b22b6e5269ec241b82450a7e65009685a3010fb
196c08fbab4119d75afb209a05999ce269ffe3cf
1f5ae3b51b2dbf9419f4b7d51725a49023abc81c
229e073dbcbb72bdfee2c244e5d066ad949d2582
29baab2551064fa30fb18955ccc8f332bd68ddd4
577b110a8bfa6526b21bb728e14bd6494dc67f71
7db52047c72529d27a39f2e1a9ffb8f1f0ddc774
81185dd73f2e042a947a1bf77f429de08778b6e9
a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
b3e0785dbe60369634ac6a6b5d241849c1f929de
b571e60a6d2d9ab78da1c14327c0d26f34117daa
bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c
e164bbaf848fa5d46fa42f62402a1c55330ef562
e1c0482b43fe57c93535119d085596cd2d90560a
eada05f4bfd4876c57c24cd4b41f7a40ea97274c
fc75a3800d8c2fa49b27b632dc9d7fb611b65201
Victim Portals and Data Leak Sites
3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd[.]onion
Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad[.]onion
Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd[.]onion
Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad[.]onion
rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid[.]onion
rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd[.]onion
rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd[.]onion
Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion
Social Media
TOXID: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
TOXID: 258C79F73CCC1E56863030CD02C2C7C4347F80CAD43DD6A5B219A618FD17853C7BB1029DAE31
