As a Ransomware-as-a-Service (RaaS) provider that poses as a cartel to recruit affiliates and grow its business, DragonForce became a major ransomware threat in December 2023 This article explores dragonforce major ransomware. . The group swiftly expanded the scope of its attacks, reaching a peak of 35 victims in December 2025 and listing 363 victims on its Data Leak Site (DLS) by January 2026.

Through its RansomBay service, DragonForce provides customized payloads based on leaked LockBit 3.0 and Conti source code, allowing affiliates to create builds for Linux and Windows environments. Victim Operations and Trends Before gradually expanding its targets across industries like manufacturing, retail, IT, and construction, DragonForce disclosed 22 information about its first victim on December 6, 2023.

A post made by user @dragonforce on BreachForums (Source: medium) High-profile retailers and supply-chain providers were frequently targeted in 2025, with the US experiencing the most attacks, followed by the UK, Germany, Australia, and Italy. Eighty percent of ransoms are paid to affiliates, who use double extortion to encrypt files and leak data if they are not paid. In addition, the group avoids healthcare by adhering to a self-imposed code.

By recruiting pentesters, promoting RaaS services, and providing special features like data analysis and harassment calling, the group keeps up a robust dark web presence on BreachForums, RAMP, and Exploit. DragonForce sets itself apart by going after competitors. For example, it defaced BlackLock's website and claimed RansomHub's infrastructure after it went down in April 2025.

The DragonForce data leak website (DLS) (Source: medium) In order to establish itself as a cartel leader and provide affiliates with white-label options for rebranding payloads, it has pursued partnerships with LockBit and Qilin. Technical Overview and Binary Information Client management, lead generation, team coordination, content publishing, and tickets are all supported by DragonForce's affiliate panel. Since Group-IB's 2024 analysis, it has changed by keeping BYOVD for process termination while eliminating exposed LockBit builders.

For configuration decryption and file encryption, Windows binaries employ ChaCha8, which also supports extension-based modes like full, partial, or header encryption and appends 537 bytes of metadata (the expanded Encryption Ratio field).

According to the DragonForce group's monthly attack trends (Source: medium), Linux variants that operate as daemons with ESXi virtual machine shutdowns, system information gathering, and MOTD modifications after encryption target NAS, RHEL, and ESXi. With beta extensions for per-file overrides, the default configurations apply user-defined encryption and exclude paths. Although the LockBit 3.0-based builder has been discontinued as of January 2026, its essential features are still available.

BlackLock, RansomHub, Scattered Spider, DEVMAN, and LockBit are examples of related groups, according to Medium, that are connected by shared infrastructure, code similarities, or conflicts. Companies should check for DragonForce IOCs on leak sites, patch vulnerabilities like CVE-2021-44228, and keep an eye out for BYOVD.