In recent years, ransomware attacks have grown increasingly sophisticated, with some groups evolving into fully organized cybercriminal networks. Among the most notable is DragonForce, a group that began as politically motivated hacktivists but has since transformed into a global ransomware cartel. Combining advanced technical capabilities, strategic partnerships, and a profit-driven approach, DragonForce exemplifies the new generation of cybercriminals who blur the line between ideology and organized crime. Understanding their structure, evolution, and methods is essential to grasping the current threat landscape.
Structure of the DragonForce Cartel
The DragonForce cartel operates as a coordinated ransomware ecosystem rather than a single group. At its center is the core DragonForce team, which develops and maintains ransomware tools, leak sites, and builder infrastructure. Surrounding them are independent affiliates who deploy customized ransomware across Windows, Linux, and enterprise systems under a white-label or ransomware-as-a-service model. Adding another layer, partners like Scattered Spider specialize in gaining initial access through phishing, MFA bypass, and credential theft, supplying victims to the cartel’s campaigns. The network also appears to include operators with ties to former Conti affiliates, sharing tactics and infrastructure. Together, these components create a highly organized, collaborative operation capable of large-scale and sophisticated attacks.
From Hacktivists to Professional Extortionists
Emerging in 2023, DragonForce began as a relatively small group of politically motivated hackers, who initially targeted organizations and systems to support pro-Palestinian causes. Their early operations were characterized by symbolic attacks, defacements, and data leaks intended to make political statements rather than generate financial gain. These actions positioned them firmly in the hacktivist space, where ideology and visibility were the primary drivers of activity.
However, DragonForce’s focus soon began to shift toward financial motives, evolving into a fully professionalized ransomware operation. Recognizing the profitability of modern cybercrime, the group started leveraging ransomware-as-a-service (RaaS) models, creating custom malware strains for affiliates who could carry out attacks across Windows, Linux, ESXi, and NAS platforms. The group developed sophisticated extortion strategies, combining data encryption with the threat of public leaks to pressure victims into paying ransoms. In parallel, DragonForce expanded its infrastructure, managing dedicated leak sites, coordinating multi-stage attacks, and providing technical support to affiliates—effectively becoming a cybercriminal ecosystem rather than a simple hacker collective.
This transformation from ideological hacktivism to profit-driven extortion reflects a broader trend in the ransomware landscape. DragonForce demonstrates how groups can maintain a political narrative while simultaneously engaging in high-stakes financial operations, blurring the lines between activism and organized crime. Their evolution illustrates the increasing adaptability of modern ransomware actors, making them both highly strategic and exceptionally dangerous in today’s threat environment
The Shift Toward Professionalized Cybercrime
Over time, DragonForce evolved from its ideological roots into a fully professional ransomware operation. The group adopted a ransomware-as-a-service (RaaS) model, providing affiliates with the tools and infrastructure to deploy customized ransomware attacks across Windows, Linux, and enterprise systems. This marked a major shift in focus, as profit became as important as ideology. DragonForce also began operating data leak sites and coordinating complex, multi-stage extortion campaigns, effectively functioning as a cybercriminal cartel rather than a simple hacker collective.
Advanced Techniques and Conti Lineage
A major development in DragonForce’s evolution has been its adoption of the leaked Conti v3 ransomware source code. This gave the group access to advanced encryption routines and network propagation capabilities, significantly increasing the potency of its attacks. DragonForce has also employed sophisticated techniques such as “bring your own vulnerable driver” (BYOVD) attacks, which use compromised drivers to disable security software and bypass protections. These methods, combined with strong encryption algorithms like ChaCha20 and RSA, make the group’s ransomware particularly difficult to detect and mitigate.
Strategic Alliances and Global Reach
DragonForce’s transition into a cartel-style operation is also reflected in its affiliate model. Affiliates can deploy white-label ransomware and retain a substantial share of ransom payments, sometimes up to 80 percent. This approach has helped the group attract skilled operators and expand its reach. Strategic partnerships, particularly with the Scattered Spider group known for initial access operations such as phishing, multi-factor authentication bypass, and credential theft, have amplified DragonForce’s capabilities. Through these alliances, the group has targeted larger organizations worldwide and executed increasingly sophisticated campaigns.
The Groups Ransomware Campaigns
DragonForce has carried out several high-profile attacks across retail and enterprise sectors worldwide. In 2025, the UK retailer Marks & Spencer experienced a crippling ransomware incident that disrupted online orders for weeks and reportedly cost around £300 million in lost operating profit. The Co‑operative Group was also targeted, with internal systems encrypted and customer and employee data stolen, underscoring the group’s focus on major UK retail victims.
Beyond retail, DragonForce has targeted global enterprises and supply chains. A large real-estate and construction firm in Saudi Arabia had over six terabytes of sensitive data exfiltrated, demonstrating the group’s global reach and high-impact extortion methods. Additionally, the group exploited vulnerabilities in the SimpleHelp platform to compromise managed service providers, spreading ransomware to downstream customers. These campaigns highlight DragonForce’s technical sophistication, strategic targeting, and capacity for large-scale, multi-sector operations.
The Modern Cybercrime Landscape
The evolution of DragonForce highlights a broader trend in ransomware operations: the blending of ideological motives with financial incentives. By maintaining a political narrative while aggressively pursuing profit, DragonForce demonstrates how modern ransomware groups are becoming more adaptable, professional, and dangerous. For organizations, this underscores the importance of proactive cybersecurity measures, multi-layered defenses, and employee awareness to mitigate the growing threat posed by highly organized ransomware cartels.
0 Comments