Overview
DragonForce is a ransomware and data extortion group that evolved from a pro-Palestinian hacktivist collective into a financially motivated cybercriminal enterprise. The group emerged prominently in late 2023 and gained notoriety in 2024 through widespread attacks across retail, education, and manufacturing sectors. Known for using double extortion tactics, DragonForce both encrypts data and threatens to leak sensitive files on their public leak site, “DragonLeaks.” Their tactics suggest a hybrid structure, blending ideological narratives with profit-driven ransomware operations.
Known Aliases
- DragonForce Malaysia (former hacktivist identity)
- DragonForce Ransomware Gang
- DragonLeaks (leak site)
- DFRansom
Country of Origin
DragonForce ransomware is believed to originate from Malaysia, with core affiliations tracing back to Southeast Asia.
Notable Attacks / High-Profile Victims of DragonForce Ransomware
1. Marks & Spencer (M&S) – April 2025
In late April 2025, M&S, one of Britain’s largest department store chains, suffered a significant ransomware attack that disrupted online orders, in-store payment systems, and warehouse operations. The attack led to unauthorized access to customer data, including names, addresses, and order histories. Security experts linked the breach to affiliates of DragonForce, who deployed the DragonForce ransomware encryptor on M&S’s network. The attackers reportedly used techniques associated with the “Scattered Spider” group, suggesting initial access was gained through social engineering.The Guardian
Sources:
2. Co-op Group – April 2025
Shortly after the M&S incident, the Co-op Group, a major UK grocery and insurance retailer, experienced a cyberattack that disrupted supply chains and led to empty shelves across stores. The attack compromised ordering and logistics systems, and hackers accessed customer and employee data. While Co-op initially described the incident as contained, internal communications revealed significant concerns, including suspending VPN access and advising heightened vigilance on digital platforms. The attack pattern aligns with DragonForce’s affiliates, utilizing social engineering tactics for initial access.
3. Harrods – May 2025
In early May 2025, Harrods, the luxury London department store, confirmed a cyberattack that led to the restriction of internet access across its stores and facilities as a precaution. While Harrods stated that its stores remained operational and online shopping was unaffected, the timing and similarity to the M&S and Co-op attacks raised speculation of a coordinated campaign. However, there is no official confirmation linking DragonForce to this incident.
4. Saudi Real Estate and Construction Firm – February 2025
DragonForce targeted a prominent real estate and construction company in Riyadh, Saudi Arabia, exfiltrating over 6 terabytes of sensitive data. The attack, strategically timed before Ramadan, aimed to pressure the victim into paying a ransom. Upon refusal, DragonForce publicly leaked the stolen data, including confidential client and operational documents. This marked the group’s first major ransomware incident targeting a large enterprise in the Kingdom.Gurucul+3gbhackers.com+3builtenvironmentme.com+3gbhackers.com+2builtenvironmentme.com+2builtenvironmentme.com+2
Sources:
5. Ohio Lottery – December 2023
DragonForce breached the Ohio Lottery’s systems, claiming to have stolen over 600 GB of data, including sensitive information such as names, email addresses, and Social Security Numbers. This high-profile attack demonstrated the group’s capability to target government-operated entities.
6. Yakult Australia – Date Unspecified
The group claimed a breach of Yakult Australia’s systems, exfiltrating approximately 95.19 GB of company data. Details about the specific nature of the data or the impact on operations remain limited.
7. Coca-Cola Singapore – Date Unspecified
DragonForce claimed to have breached Coca-Cola’s Singapore operations, stealing over 400 GB of data. The specifics of the data compromised and the operational impact have not been publicly disclosed.Red Piranha+1Solace Cyber+1
Source:
MITRE ATT&CK Tactics and Techniques Used by DragonForce Ransomware
DragonForce leverages a range of tactics and techniques commonly observed in financially motivated ransomware groups:
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Initial Access | Valid Accounts (stolen credentials) | T1078 |
| Execution | Command and Scripting Interpreter | T1059.001 |
| Persistence | Create or Modify System Process | T1543 |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Credential Access | OS Credential Dumping | T1003 |
| Lateral Movement | Remote Services (e.g., RDP, SMB) | T1021 |
| Exfiltration | Exfiltration Over Web Services | T1567.002 |
| Impact | Data Encrypted for Impact | T1486 |
Malware Strains Used by DragonForce Ransomware
- Custom ransomware payloads developed from publicly available builder kits
- Phobos (earlier campaigns)
- Cobalt Strike (post-exploitation)
- RClone and MEGA (data exfiltration)
- Mimikatz (credential harvesting)
- Remote access tools like AnyDesk and TeamViewer
Common Methods of Infiltration Used by DragonForce Ransomware
- Exploiting unpatched vulnerabilities in public-facing systems (e.g., Fortinet, WordPress)
- Phishing emails targeting admin or IT staff
- Use of compromised remote desktop credentials (purchased or stolen)
- Abuse of weak MFA implementations or lack of segmentation
- Deployment of remote access tools to maintain persistence
