DragonForce Sets Sights on Rivals for Dominance

Quick Takeaways

1. Emergence of DragonForce: DragonForce, launched in August 2023, is a disruptive force in the ransomware ecosystem, evolving from traditional Ransomware-as-a-Service (RaaS) to a ‘cartel’ model aimed at dominating the landscape by attacking rivals and collaborating with other groups.

2. High-impact Attacks: The group focuses on credential theft and attacks on IT and virtualized infrastructures, notably executing significant cyberattacks on UK retailers and collaborating with the GOLD HARVEST group to deploy ransomware, demonstrating effective use of social engineering tactics.

3. Internal Group Conflicts: DragonForce’s aggressive strategies include defacing competitor websites and allegedly executing a hostile takeover of RansomHub, revealing a chaotic atmosphere among ransomware groups that could lead to unpredictable attacks targeting organizations.

4. Defensive Recommendations: Organizations should strengthen their defenses against DragonForce and similar threats by implementing technical controls, like browser isolation, endpoint detection for infostealers, and robust identity verification protocols, alongside enhancing employee vigilance against social engineering tactics.

Underlying Problem

In the context of a rapidly evolving cyber threat landscape, DragonForce has emerged as a formidable player in the world of ransomware, aiming to reshape the existing dynamics among cybercriminal groups. Initially introduced in August 2023 as a standard Ransomware-as-a-Service (RaaS) model, DragonForce pivoted in March 2025, rebranding itself as a ‘cartel’ designed to extend its influence and operational flexibility. By targeting both traditional IT infrastructures and virtualized environments like VMware ESXi, the group has engaged in high-impact attacks, heavily emphasizing credential theft and data exfiltration. Recent reports from the Counter Threat Unit (CTU) have tied DragonForce to a series of coordinated assaults against UK retailers, notably linking it to the GOLD HARVEST group, which employs sophisticated social engineering strategies for orchestrating breaches.

The tumultuous interactions between these two entities highlight a broader conflict within the cybercriminal underworld, wherein DragonForce’s aggressive tactics include not only attacks on rival ransomware operations but also a systematic attempt to dominate the marketplace. This landscape of internal warfare has been particularly illustrated through the hostile takeover of the RansomHub leak site and recent significant cyberattacks, such as the one against UK retailer Marks and Spencer, allegedly deploying DragonForce’s ransomware. With this dynamic, researchers are urging organizations to bolster their defenses through enhanced incident response strategies, stringent identity verification, and layered technical controls, acknowledging the pressing need for vigilance against increasingly opportunistic cyber threats.

Potential Risks

The emergence of DragonForce as a significant player in the ransomware ecosystem introduces substantial risks not only to its immediate victims but also to a wide spectrum of businesses and organizations that may become collateral damage in its evolution. As DragonForce’s activities destabilize the ransomware landscape through aggressive tactics, including credential theft and data exfiltration, the potential for increased erratic and opportunistic attacks escalates, impacting organizations across various sectors. Rival ransomware groups, such as GOLD HARVEST, utilizing DragonForce’s malware, can exacerbate vulnerabilities, leading to spillover effects that compromise third-party systems and data integrity. Such dynamics may foster a chaotic environment where businesses are forced to confront enhanced threats, requiring them to reassess and fortify their cybersecurity protocols, incident response strategies, and employee training to mitigate the increasingly pervasive threat infiltrating their operational frameworks. Consequently, the fallout from DragonForce’s actions transcends individual attacks, necessitating a holistic approach to cybersecurity and comprehensive risk management practices across the business ecosystem.

Possible Next Steps

Timely remediation is crucial to maintaining cybersecurity integrity, especially when faced with aggressive adversaries like DragonForce who seek dominance in the digital landscape.

Possible Mitigation Steps

1. Immediate Threat Assessment
2. Intrusion Detection Systems
3. Patch Management Protocols
4. Employee Training Programs
5. Incident Response Plan Update
6. Vulnerability Scanning and Penetration Testing
7. Cyber Threat Intelligence Sharing
8. Network Segmentation Techniques

NIST CSF Guidance
The NIST Cybersecurity Framework (CSF) emphasizes a lifecycle approach to risk management, advocating for continuous monitoring and timely adjustments in response to threats. For a deeper understanding of remediation, refer to NIST SP 800-61, which details incident response best practices.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1