Who Are the DragonForce Ransomware Crew?

You are currently viewing Who Are the DragonForce Ransomware Crew?

Who Are the DragonForce Ransomware Crew?

1. History & Evolution

1.1 Humble Hacktivist Beginnings

DragonForce burst onto the scene around August 2023, initially styling itself as a pro-Palestinian hacktivist outfit named “DragonForce Malaysia.” They defaced websites, leaked political manifestos, and bragged about DDoS hits against foreign targets (SentinelOne, Searchlight Cyber). I remember reading a snarky post on their dark-web forum: “We’re here for justice… and maybe Bitcoin, lol.” 😏

1.2 Pivot to RaaS & Big-Game Hunting

By November 2023, they’d quietly forked the leaked LockBit Black builder and started offering it as a service to affiliates—enter “DragonForce Ransomware” (Group-IB, Arms Cyber). They touted two payload versions: one LockBit-derived, one Conti-derived (ContiV3)—a clever way to hedge against takedowns of either lineage (Group-IB). Their affiliate panel went live in June 2024, promising an 80 percent cut to affiliates plus automated support, leak-site hosting, and custom branding options (Group-IB).

1.3 White-Label & RansomBay Services

Early 2025 saw DragonForce roll out “white-label” payloads—affiliates could mask attacks as other ransomware strains for extra fees—plus the new RansomBay leak-site network (SentinelOne). This “cartel” model echoes moves by Rabbit Hole and Dispossessor, cementing DragonForce as a turnkey extortion platform.

2. Ransomware Tech Stack & Attack Flow

2.1 Payload Generation & Customization

Affiliates log into the DragonForce portal to:

  • Select variant (LockBit vs. Conti)
  • Set encryption parameters (AES key length, file extension)
  • Specify process kills (e.g., SQLSrv, Veeam services)
  • Customize ransom note text, styling, and payment address (Group-IB).

This builder then spits out a Windows PE or Linux ELF encryptor—no coding skills needed, FYI.

2.2 Encryption Routine

  1. AES Session Key: The payload generates a random 256-bit AES key per execution.
  2. RSA Wrapping: It encrypts the AES key with DragonForce’s embedded 4096-bit RSA public key and embeds it in each file header.
  3. Target Discovery: Scans local drives, mapped shares, USB media, and NAS endpoints for target extensions (e.g., .docx, .mdb) (Group-IB, Picus Security).
  4. Process & Log Cleanup: Uses BYOVD to load a vulnerable kernel driver that disables AV agents, then clears Windows Event Logs to hamper forensics (Group-IB).

2.3 Double-Extortion & Leak Sites

After encryption, DragonForce exfiltrates compressed archives to cloud storage or RansomBay, retains a copy on their leak site, then drops README_DRAGONFORCE.txt on victims’ desktops (Picus Security). They demand Bitcoin or Monero, warning that non-payment means data gets auto-published.

3. AI-Driven Impersonation & Social Engineering

3.1 Deepfake Calls & Automated BEC

Here’s where it gets film-villain scary: DragonForce taps GenAI to deepfake executives’ voices and spoof email domains in real time (Check Point Blog, BleepingComputer). Imagine an AI‐generated call from your CFO demanding urgent VPN reset—help-desk staff, flustered, oblige without verifying identity.

3.2 Phishing at Scale

They deploy LLM-powered phishing campaigns across multiple languages, auto-tuning subject lines, and crafting context-rich spear-phish so convincing your spam filter blinks twice (Check Point Blog). They even use bots to chat-assist victims into clicking malicious links—zero human typist needed.

3.3 Help-Desk “Pushbombing”

After initial compromise, they flood MFA push notifications (“Pushbombing”) until an admin grudgingly hits “Approve” out of frustration (Arms Cyber, Industrial Cyber). Combine that with SIM-swap via dark-web auctions, and they pwn your 2FA in minutes.

4. Who Hires DragonForce?

4.1 Affiliate Crews (e.g., Scattered Spider)

Scattered Spider, Lapsus$, and other mid-tier gangs jumped ship when RansomHub went dark in April 2025—many migrated to DragonForce’s slick affiliate portal (The Hacker News, BleepingComputer). These outfits supply the initial access (phishing, compromised RDP), then hand off to DragonForce for encryption and extortion.

4.2 Organized Crime & Money Launderers

Cartels and traditional mafias ring up DragonForce to extort energy providers or large agribusinesses—splitting profits with local money launderers (Cyble, SentinelOne).

4.3 Nation-State Proxies & Hacktivists

DragonForce’s hacktivist spin attracts geopolitical players wanting plausible deniability: “We didn’t do it—it was just a rogue affiliate ranting about politics.” This hybrid cloak appeals to some state-linked actors targeting strategic infrastructure (Cyble, SentinelOne).

5. Motivations & Political Underpinnings

5.1 Money, Money, Money

Pure profit reigns supreme: with average ransoms in the six-figure USD range, DragonForce’s 20 percent cut nets founders millions annually (Arms Cyber).

5.2 Ideological Messaging

They never fully abandoned their “free Palestine” propaganda—leak sites sometimes feature political slogans between data dumps (SentinelOne). This blurred line keeps defenders guessing: “Is this hacktivism or criminal extortion?”

5.3 Reputation & Recruitment

A successful big-game hunt (like M&S or Co-op) raises DragonForce’s street cred, attracting more affiliates and elevating their bargaining power—kind of like a twisted influencer culture (Latest news & breaking headlines).

6. Notable DragonForce Campaigns

6.1 Marks & Spencer (May 2025)

  • Initial Access: Scattered Spider affiliate phished credentials, then abused MFA via pushbombing (Picus Security, BleepingComputer).
  • Impact: Wedding cake orders canceled, online systems frozen for days, millions in lost revenue (The Hacker News).
  • Response: M&S CFO publicly urged patience; NCSC deployed emergency incident response teams (ITVX).

6.2 Co-op Group Data Heist

  • Breach: DragonForce claimed 20 million member records—names, emails, phone numbers (Latest news & breaking headlines).
  • Tactic: Impersonated help-desk calls to reset admin passwords; exfiltration preceded encryption attempt (Reuters).
  • Aftermath: Co-op temporarily suspended VPN, locked down MFA, and took weeks to restore full services.

6.3 Harrods Attempt

  • Threat actors probed high-value targets, but swift network segmentation and AI-driven detections stopped payloads in their tracks .

6.4 Early “Proof-of-Concept” Hits

  • Ohio Lottery (2023): 600 GB of user data stolen, wallet routes traced to DragonForce syndicates (ITVX).
  • Yakult Australia, Coca-Cola Singapore: Both reported disrupted ops and ransom demands in 2024 (ITVX).

7. Defending Against DragonForce

7.1 Zero-Trust & Micro-Segmentation

Segment east–west traffic; never trust internal or external sessions by default (SOCRadar® Cyber Intelligence Inc.).

7.2 Hardened MFA & Identity Controls

  • Enforce hardware tokens over push notifications.
  • Institute in-person verification for help-desk resets (Industrial Cyber).

7.3 AI-Enhanced Threat Hunting

Deploy ML models to spot AI-driven deepfake voice patterns, abnormal access requests, and LLM‐generated email textures (Check Point Blog).

7.4 Immutable, Air-Gapped Backups

Store backups offline and verify integrity—ransomware can’t encrypt what it can’t reach.

7.5 Patch Management & Attack Surface Reduction

  • Close or trap RDP via jump servers.
  • Use EDR to detect BYOVD kernel-loader behavior.
  • Disable WMI remoting unless business-critical.

8. Conclusion & Final Thoughts

DragonForce stands out by fusing political theater with industrial-scale extortion. Their RaaS setup, AI-powered social engineering, and hybrid hacktivist/profit motive make them a 21st-century ransomware juggernaut. But every playbook has counters: zero-trust, AI-driven detection, and unbreakable offline backups can blunt their edge. Remember: you don’t defeat what you don’t prepare for—so train your teams, test your processes, and keep your firmware patched.

“For God gave us a spirit not of fear but of power and love and self-control.”
—2 Timothy 1:7 (ESV)

If you found this deep-dive useful, stick around and follow my channels for more hard-core cyber insights:

If you love supporting indie+AI content:

  1. Buy me a Coffee: buymeacoffee.com/sweatdigitaluk
  2. Learn AI for Social Media (affiliate): https://bit.ly/proaiprompts

Stay secure (and stay skeptical)!

Tags: , , , , , , , , ,