DragonForce is a Ransomware-as-a-Service (RaaS) operation that emerged in August 2023, initially linked to the pro-Palestinian hacktivist group “DragonForce Malaysia.” What started as ideologically driven attacks against perceived political adversaries quickly evolved into a profit-focused extortion scheme, targeting organizations worldwide for financial gain. By 2025, it had rebranded as a “ransomware cartel,” a loose alliance of affiliates who white-label its payloads under aliases like Devman and Mamona/Global, enabling broader and more customized attacks while fostering rivalries through site defacements.
Origins and Evolution
Rooted in Malaysia, DragonForce’s early payloads were crude adaptations of the leaked LockBit 3.0 builder, but it soon developed bespoke variants inspired by the Conti V3 ransomware, expanding compatibility to Windows, Linux, ESXi hypervisors, and NAS devices. In June 2024, it launched an affiliate program offering an 80% ransom cut, complete with automation tools for payload customization, evasion techniques, and ransom note personalization. This model democratizes ransomware deployment, allowing even low-skill affiliates to participate. The 2025 cartel shift amplified its reach, with hints of ties to groups like Scattered Spider and possible Russian federation proxies for deniability.
Tactics, Techniques, and Procedures (TTPs)
DragonForce employs double-extortion: encrypting victim data with strong algorithms (e.g., AES-256 hybrids) while exfiltrating sensitive files for leak threats. Initial access often comes via phishing, stolen credentials, or unpatched vulnerabilities, followed by lateral movement over RDP/SMB, privilege escalation, and EDR evasion. A signature is the “readme.txt” ransom note, scattered across desktops, shares, and webroots, demanding crypto payments and boasting “unbreakable” encryption. Attacks are rapid—often staging for weeks before detonation—and highly tailored to maximize disruption.
Notable Activities and Impact
In 2024, DragonForce claimed 93 victims publicly, hitting sectors like critical infrastructure and governments. 2025 saw escalation: coordinated strikes on UK retailers (e.g., Marks & Spencer, Boots, Co-op) caused payment outages and data leaks, often in tandem with Scattered Spider. A manufacturing breach encrypted production servers, leading to multimillion-dollar downtime, while critical sectors faced evolved payloads bypassing defenses. By late 2025, over 20 Q4 claims included government targets, blending old hacktivist motives with cartel ambition.
Prevention and Mitigation
To counter DragonForce, prioritize patching (e.g., Log4j-style urgency), multi-factor authentication (MFA), and network segmentation. Implement zero-trust architectures, offline backups with quarterly tests, and behavioral analytics for anomaly detection—like unusual “readme.txt” writes. Train against social engineering, as phishing remains a prime vector. If infected, avoid payment; report to authorities and use resources like No More Ransom for potential decryptors. Tools from vendors like Darktrace or SentinelOne can automate hunting for these threats.
DragonForce exemplifies ransomware’s shift toward cartel-like ecosystems, but proactive defenses can keep it at bay. For the latest threats, monitor sources like Trend Micro or SentinelOne.