DragonForce: Inside the Ransomware-as-a-Service group

Grey dragon head on door

​The popularity of Software-as-a-Service (SaaS) has exploded over the past decade. The benefits for organizations are obvious – SaaS is scalable, cost-effective, and doesn’t need complex installation or maintenance. Gartner expects global spending on SaaS to reach $3 billion in 2025. So, is it any surprise that cybercriminals want a piece of the action? Ransomware-as-a-Service (RaaS) is the illegal but enterprising business model used by criminal groups such as DragonForce.

We’ll explore how the Ransomware-as-a-Service model works, explain who DragonForce are and how they operate, plus share some dark web screenshots of their disputes with other RaaS providers. We’ve also got some advice on how to avoid the initial breaches that lead to ransomware deployment.

What’s Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is where ransomware developers lease their malware to affiliates or customers, typically through dark web marketplaces. Instead of carrying out attacks themselves, the developers provide ready-made ransomware tools, user interfaces, technical support, and sometimes even negotiation services with victims. Affiliates carry out the attacks and the developers take a cut of the ransom payments. A prime recent example is the DragonForce RaaS group allegedly working with the Scattered Spider group to attack Marks & Spencer (M&S).

This model lowers the technical barrier to entry for cybercrime, enabling even those with limited hacking skills to launch ransomware attacks. It also makes ransomware more scalable and profitable, contributing to its rise as a major cybersecurity threat. For a cybercrime group, it carries all the same benefits as SaaS. Except the goal here is to extort organizations through ransomware, infecting their systems and encrypting their data until a ransom is paid.

Who are Dragonforce?

DragonForce is a relatively new ransomware group that first surfaced in August 2023, initially framing itself as a pro-Palestinian hacktivist collective before pivoting toward profit-driven operations. Its earliest ransomware payloads were forks of leaked LockBit builders, but it has since developed its own bespoke variants (drawing on Conti v3 code) to support Windows, Linux, ESXi and NAS targets. The group’s multi-extortion approach (combining encryption with data theft and public leaks) underscores its evolution into one of the more dangerous hybrid Ransomware-as-a-Service operations on the global stage.

Beginning in early 2025, DragonForce has aggressively targeted high-profile UK retailers (most notably Marks & Spencer, the Co-op, and Harrods) deploying its ransomware to encrypt networks, disrupt online orders and payment systems, and threaten the publication of customer and employee data. In the Marks & Spencer incident, affiliates reportedly used social-engineering attacks on service desks tied to Scattered Spider to gain initial access before unleashing DragonForce’s ransomware.

Beyond these headline UK incidents, DragonForce’s leak site history shows claims of dozens more victims. Earlier victims of its ransomware included the Ohio Lottery (2023), where over 600 GB of user data was stolen, and corporate targets such as Coca-Cola, Yakult and even the government systems of the island of Palau. In 2024, the group’s affiliates publicly listed roughly 93 distinct victims across various sectors and geographies, spanning Windows, Linux, ESXi and NAS environments.

Where are DragonForce based?

In their RaaS announcement, DragonForce have prohibited the use of their encryptor against CIS countries (Russia and allies). This could suggest DragonForce is a Russian group. However, the BBC says that “conversations with the Co-op hackers were carried out in text form but it is clear the hacker, who called himself a spokesperson, was a fluent English speaker.” In previous forum messages, we’ve seen DragonForce posting in both perfect Russian and English. 

How does DragonForce’s RaaS model work?

Ransomware-as-a-Service (RaaS) outfits like DragonForce operate on a franchise model: core developers build and maintain the ransomware codebase (often forking or enhancing existing strains) and then lease access to affiliates. Affiliates gain access to a “white-label” affiliate portal where they can customize payloads, select encryption parameters, choose branding (or disguise DragonForce under another strain), and manage multi-extortion campaigns through dedicated leak sites. DragonForce developers handle the backend infrastructure (C2 servers, payment gateways, negotiation support).

Once recruited, affiliates target organizations to gain initial access via techniques such as:

  • Phishing, smishing, or vishing
  • Exploitation of unpatched vulnerabilities
  • Compromised credentials – stolen or purchased from other threat groups
  • Social engineering help desks to reset passwords and bypass MFA
desktop screen with warnings
How many of your end-users are using a compromised password in AD?

After establishing a foothold, they deploy loaders like SystemBC to exfiltrate sensitive data quietly, disable or delete security tooling, and then unleash the encryptor to lock down files. Finally, the group uses “double-extortion,” threatening to both withhold decryption keys and publicly leak stolen data on dedicated leak sites. This pressures victims to negotiate ransom payments (usually in cryptocurrency) under the threat of reputational and operational damage.

How do DragonForce operate on the dark web?

DragonForce started out in October 2023, but it was June 2024 when they announced the launch of their Ransomware-as-a-Service project in RAMP (dark web marketplace) to potential affiliates. Initially you could think about DragonForce as just another RaaS group, but interestingly they carried out the compromise of another ransomware project, Eldorado (aka BlackLock) and likely also compromised RansomHub (explored in detail in the next section). 

Screenshot: DragonForce announcing their RaaS operations
DragonForce announcing their RaaS operations

DragonForce are also known for more complex “double-extortion” methods. This involves going beyond just deploying ransomware and calling victims while recording the conversation. The recordings are posted in their data leak site to increase the reputation damage and pressure on the victim. For example, DragonForce recently directly contacted the BBC to say that their compromise of British retailer the Co-op was bigger than the retailer was letting on. 

DragonForce & RansomHub: Infighting among RaaS providers?

On April 1st, 2025, RansomHub’s data leakage site (DLS) stopped working and the managers stopped answering, according to complaints posted by affiliates in underground forums.  On April 2nd, 2025, DragonForce published an announcement “suggesting” RansomHub should join them and move to their infrastructure, in what can be interpreted as a mockery for their infrastructure being down.

Screenshot: DragonForce post seeming to mock RansomHub
DragonForce post seeming to mock RansomHub
Screenshot: RansomHub’s downed DLS included in the DragonForce comment
RansomHub’s downed DLS included in the DragonForce comment

On April 23rd, 2025, “koley“, the spokesperson of RansomHub, reappeared in the forum claiming to have suffered an attack coming from the state, and exposed an alleged traitor. A couple of days later, on April 25th, koley shared an image of DragonForce’s DLS being compromised and defaced with a message that suggests that the attack was carried out from within by “traitors”. 

Screenshot: koley mocking DragonForce’s technical issues
koley mocking DragonForce’s technical issues
Screenshot: Another post from koley aimed at DragonForce
Another post from koley aimed at DragonForce

A post from DragonForce on April 28th on the thread where they advertised their RaaS, claims that they are on a pause when it comes to “accepting collaborators” because of the recent events. This idea would fit with the fact that they were compromised by a “traitor”. 

Screenshot: DragonForce announcing a pause in operations
DragonForce announcing a pause in operations

What’s next for DragonForce and RansomHub?

Based on current underground forum rumors, there are a couple of possibilities here: 

  1. That RansomHub did an exit scam and they are the same as Dragonforce 
  2. Dragonforce and RansomHub are more enemies than allies
Screenshot: Underground forum messages regarding DragonForce and RansomHub (1)
Underground forum messages regarding DragonForce and RansomHub (1)
Screenshot: Underground forum messages regarding DragonForce and RansomHub (2)
Underground forum messages regarding DragonForce and RansomHub (2)
Screenshot: Underground forum messages regarding DragonForce and RansomHub (3)
Underground forum messages regarding DragonForce and RansomHub (3)

Another possibility is that DragonForce is compromising other RaaS providers. They compromised BlackLock in the past and some rumors say they also compromised Everest and now RansomHub

Screenshot: DragonForce denying attacking RansomHub
DragonForce denying attacking RansomHub

There have also been suggestions that DragonForce is collaborating with federal agents to compromise other RaaS providers. koley’s messages seem to indicate that they believe DragonForce was responsible for the attack on them, just like they were responsible for the attack on “Eldorado” (aka BlackLock/Mamona), and that they were collaborating with law enforcement to shutdown others.

koley also said “we only contact feds for traitors and bastards”. This means RansomHub could have collaborated with law enforcement sometime. In addition to this conflict with DragonForce, there are other users who insinuate that RansomHub’s infrastructure was taken down by Russian law enforcement because of them attacking Russian companies or institutions.

Screenshot: Accusations from dark web forum user “koley”
Accusations from dark web forum user “koley”

Reduce the risk of initial access to your organization

Easy-to-guess and stolen credentials are some of the easiest ways attackers can get initial access to your environment to deploy ransomware. Strong password security is your first line of defense against the credential-theft and brute-force methods attackers use to gain a foothold in your environment.

Specops Password Policy makes it simple to enforce long, complex passwords (or passphrases) that are unique to each account, dramatically increasing the time and resources an attacker needs to crack or guess them. Your Active Directory will also be continuously scanned against our database of over 4 billion unique breached credentials. Book a free demo today.

Continuous Scan Password Policy icon
Continuously block 4 billion+ compromised passwords in your Active Directory

Critically, strong password policies need to be paired with effective multi-factor authentication (MFA) such as Specops Secure Access. Even if an attacker phishes or brute-forces a password, MFA adds a vital second barrier. In combination, these measures close off the most common initial access vectors for ransomware operators. This forces them to move on to softer targets or buys defenders precious time to detect and respond before encryption or data exfiltration can occur. Try Specops Secure Access for free.

Concerned about the risk of ransomware? Talk to us today.

(Last updated on May 9, 2025)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK, with 8+ years experience in the tech and cyber sectors. He writes about authentication, password security, password management, and compliance.

Back to Blog

Related Articles

  • M&S ransomware hack: Active Directory & Service Desk security lessons   

    ​M&S (Marks and Spencers) are a cornerstone of British retail with over 64,000 employees – so it was a shock for many to see them laid low by a ransomware attack in April 2025. The retail giant fell victim to a significant cyber-attack attributed to the hacking group known as Scattered Spider. Attackers reportedly infiltrated…

    Read More
  • Scattered Spider service desk attacks: How to defend your organization

    ​Scattered Spider is a disparate hacking collective that has surged to prominence by using sophisticated social engineering tactics. One of their key tactics is exploiting people – specifically, corporate service desks. They’ve recently hit the headlines by allegedly duping an IT help desk at Marks & Spencer into resetting a password that let them breach…

    Read More
  • Weak Windows passwords blamed for recent rise in Purple Fox attacks

    Purple Fox is malware that was first discovered in 2018 but has seen a recent rise in proliferation as hackers take advantage of a new attack method: weak passwords used over the SMB protocol. SMB (Server Message Block) is a protocol (mainly) used by Windows computers to communicate with other network devices like printers and…

    Read More