Fast Facts
- DragonForce, active since 2023, rebranded as a ransomware ‘cartel’ in early 2025, offering affiliates 80% profits, customizable encryptors, and infrastructure, thus expanding its global attack footprint.
- The group uses BYOVD attacks and has strengthened its ransomware encryptor after weaknesses were exposed in other malware, tying its code closely to leaked Conti v3 source code and sharing overlaps with LockBit Green.
- Its partnership with cybercriminal group Scattered Spider involves sophisticated social engineering, reconnaissance, and deployment techniques, enabling extensive network infiltration, lateral movement, and file encryption across multiple platforms.
- The expanding number of affiliates—such as Devman and Mamona—along with overlaps with other groups like LAPSUS$ and ShinyHunters, underscores DragonForce’s strategic shift towards collaboration, diversification, and persistent global cyber threat growth.
The Core Issue
Recent investigations by the Acronis Threat Research Unit (TRU) reveal that DragonForce, a ransomware-as-a-service group that surfaced in 2023, has transformed into a sophisticated cybercriminal cartel actively recruiting affiliates and expanding its reach across various industries worldwide. Originating from a leaked Conti codebase, DragonForce now offers customizable encryptors, lucrative profit shares, and infrastructure to partners, fueling a surge in attacks on sectors like retail, airlines, and managed service providers, with over 200 victims publicly exposed since late 2023. The group’s collaboration with notorious entities like Scattered Spider, which specializes in initial access through social engineering and network infiltration, has enabled highly targeted attacks, including the high-profile breach of UK retailer Marks & Spencer. These operations often involve complex methods like BYOVD attacks, remote monitoring tools, and exfiltration of data via cloud platforms, underscoring the growing professionalism and threat posed by DragonForce and its affiliates.
The report emphasizes that DragonForce’s rebranding as a cartel signifies a strategic evolution aimed at strengthening its brand prominence and operational capabilities within the underground cybercrime ecosystem. Its partnerships with other notorious groups such as Scattered Spider—and the development of new variants like Devman—highlight an ecosystem of collaboration designed to bypass defenses and maximize impact. These associations reflect a broader shift from isolated attacks to organized, coalition-based campaigns that blur attribution lines and escalate cyber threats globally. The researchers conclude that by maintaining similar core code functionalities and enhancing encryption techniques, DragonForce is committed to consolidating its position as a key player in the ransomware landscape, continuously expanding its victim base and reinforcing its reputation as a highly active and resilient threat actor.
Potential Risks
The emergence of a threat like DragonForce, linked to a Conti-aligned ransomware cartel and collaborating with groups like Scattered Spider, underscores a growing danger that any business could face—a coordinated, sophisticated cyberattack aimed at crippling operations and extracting ransom. Such attacks can cripple vital systems, cause data loss, halt productivity, and erode customer trust, leading to substantial financial and reputational damage. In today’s interconnected digital landscape, a single breach can cascade quickly, jeopardizing sensitive information and disrupting supply chains, making it crucial for any enterprise to bolster defenses against these advanced, collaborative cyber threats.
Fix & Mitigation
Timely remediation in cybersecurity is essential to contain threats before they escalate, minimize damage, and restore normal operations, especially when dealing with advanced threat groups like the reemerged DragonForce, linked to Conti and collaborating with Scattered Spider. Rapid response ensures vulnerabilities are addressed swiftly, reducing the potential for widespread impact and safeguarding organizational assets.
Containment Strategies
- Isolate affected systems immediately to prevent lateral movement of the ransomware.
- Disable network access for compromised devices to contain spread.
Detection and Analysis
- Deploy endpoint detection and response (EDR) tools to identify malicious activity.
- Conduct forensic analysis to understand attack vectors and scope.
Mitigation Actions
- Apply security patches and updates promptly to fix known vulnerabilities.
- Change credentials and reinforce authentication protocols, especially for remote access.
Recovery Processes
- Remove ransomware and restore data from secure backups.
- Validate system integrity before reconnecting to the network.
Preventive Measures
- Educate personnel on phishing and social engineering tactics used by threat groups like Conti and Scattered Spider.
- Implement strong access controls and multi-factor authentication (MFA).
- Regularly review and test incident response plans, ensuring swift action capability.
Collaboration and Reporting
- Share threat intelligence findings with industry peers and relevant authorities to stay ahead of emerging tactics.
- Report incidents to appropriate agencies to enhance collective defense efforts.
Continue Your Cyber Journey
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
