In 2023, DragonForce Ransomware appeared with the acute accuracy of a cybermercenary who had previously been a political activist. The group quickly shifted its focus from making headlines for hacks motivated by ideological beliefs to profitable extortion campaigns using the Ransomware-as-a-Service (RaaS) model. It quickly became a disruptive force, enabling affiliates on different continents to use its platform to launch customized attacks, with each ransomware payload designed to target particular industries with terrifying precision.
By 2025, DragonForce had evolved into a franchise rather than merely a threat. Its core team creates the tools, manages the infrastructure, and negotiates the ransom, reflecting the operational sophistication of a well-funded startup. The attacks are simply launched by affiliates, which can include other RaaS groups. This laissez-faire strategy enables DragonForce to expand internationally, with especially brutal efficiency in the retail industry, as evidenced by the recent hacks at Harrods, the Co-op Group, and Marks & Spencer.
| Attribute | Details |
|---|---|
| Group Name | DragonForce |
| First Detected | Mid-2023 |
| Operation Model | Ransomware-as-a-Service (RaaS) |
| Initial Motivation | Ideological (Political), later pivoted to financial |
| Core Capabilities | Custom ransomware payloads, C2 infrastructure, affiliate support |
| Notable Victims | Marks & Spencer, Co-op Group, suspected link to Harrods |
| Tactics Used | Phishing, credential theft, PowerShell, RDP lateral movement |
| Ransomware Base Code | Built on leaked LockBit 3.0 and Conti source code |
| Claimed Ethical Boundaries | Avoids healthcare targets (though unverified) |
| Reference Source | Group-IB DragonForce Report |
DragonForce’s ethos, in addition to its technology, is what makes it so dangerous. The group has evolved into a cartel with the coded message, “We’re here for business and money,” much like a band that used to play garage gigs but now sells out arenas. However, it upholds a contentious moral façade, asserting that it will not cross healthcare facilities, particularly cancer clinics. It is questionable if this is true restraint or just marketing gimmick. However, it’s a determined action meant to distance DragonForce from “chaotic evil” threat actors and make them more akin to the corporate villain archetype.
DragonForce’s technical prowess was demonstrated during the Marks & Spencer hack. The attackers used social engineering to gain access to M&S’s Active Directory by posing as Scattered Spider, a known affiliate. Before encrypting vital systems and stopping online services and warehouse logistics, they sat in silence for weeks or even months. Click-and-collect were no more. Payments via contactless stalled. A century-old British retailer collapsed under a digital siege, leaving customers staring at error messages.
Days later, similar activity was noticed by the Co-op Group, which owns everything from supermarkets to insurance services. Leaked internal memos exposed strict lockdowns, including the suspension of VPNs, the requirement for identity verification during video meetings, and heightened awareness of phishing across departments, despite the company’s claims of little disruption. Cred theft, staged access, and containment attempts—all characteristics of DragonForce—were present, indicating an attack that was intercepted in the middle.
Then Harrods arrived. The upscale department store in London acknowledged a breach on May 1, 2025. In contrast to the previous victims, Harrods was able to avoid serious operational consequences. However, the incident’s timing and closeness to the M&S and Co-op attacks point to a larger campaign that targets British retail. Analysts view it as a trial run for DragonForce’s growing affiliate network, with every breach serving as a field test to improve their strategy.
Technically speaking, DragonForce affiliates embed scripts via the Windows Registry and use PowerShell to execute commands silently. To keep persistence, execute keys or planned tasks. Their techniques are particularly effective: Because the OS trusts PowerShell, many antivirus programs fail to detect its misuse. Investigators discovered Cobalt Strike beacons embedded in memory in multiple incidents, which is a sign of ongoing external operators’ command-and-control sessions.
Additionally, DragonForce encourages lateral movement via SMB shares and Remote Desktop Protocol (RDP). They swiftly locate high-value targets, like backup storage and VMware ESXi servers, once they are inside a network. They can disable dozens of systems at once by encrypting virtualization platforms like ESXi, which is the strategy used in the M&S case. These days, scale and speed are more important than encryption alone.
Access to credentials is yet another essential component. The group obtains sweeping privileges by extracting domain admin credentials using tools such as Mimikatz and LSASS memory scraping. After that, they establish persistent access by adding their own users to Active Directory, modifying the registry, and generating scheduled tasks. DragonForce frequently anticipates ten moves ahead in this terminal-speed chess game.
It’s interesting to note that their attacks resemble campaigns by LockBit and Conti affiliates uncannily. It’s no accident. The leaked source code of both ransomware families served as the foundation for DragonForce’s encryptor, which combined their best features with evasive strategies like sandbox detection and junk code obfuscation.
DragonForce’s polish is what makes it unique. Consider it the Spotify of ransomware: users (victims) encounter a polished interface with a payment portal and expert communication, affiliates receive a ready-made platform, and the brand grows through user-generated distribution. Though for illicit reasons, this model is similar to contemporary SaaS startups in that it includes tech support and version updates.
In addition to the immediate monetary losses, DragonForce’s campaigns have revealed concerning weaknesses in business cyber preparedness. Phishing emails and lax VPN regulations hurt retail behemoths like M&S and Harrods, which make significant investments in physical infrastructure and brand identity. The pattern indicates a consistent underestimation of boardroom cyber resilience, which experts caution needs to change.
Every attack also changes public opinion. Trust erodes as more customers learn that their favorite retailers have been compromised. Furthermore, DragonForce frequently exfiltrates enormous amounts of data—more than 6 TB in one case that has been documented—so the consequences are not only operational but also reputational. Class-action lawsuits, regulatory penalties, and brand dilution are all possible outcomes for victims.
Other ransomware groups are keeping an eye on things in the meantime. Imitators are already being influenced by DragonForce’s hybrid business model, which combines ideology, business acumen, and operational skill. DragonForce is the prestigious spinoff with syndication rights, if LockBit was the successful debut.
Cybersecurity experts advise companies to change their defense tactics by May 2025. In addition to firewalls and antivirus software, businesses must harden endpoints, train staff, keep an eye on network activity, and practice breach response plans. Because they provide simulations that replicate actual DragonForce tactics, BAS platforms like Picus Security’s SCV are proving especially helpful in enabling defenders to patch vulnerabilities before attackers take advantage of them.
