DragonForce ransomware group targeted 363 companies in just two years

The DragonForce ransomware group, primarily operating a ransomware-as-a-service business model, targeted as many as 363 companies since it emerged in December 2023, with criminal activity peaking in 2025.

 

According to researchers Byeongyeol An and Gahyun Choi at cyber threat intelligence company Sw2 Talon, the DragonForce ransomware group has entrenched itself in the ransomware-as-a-service ecosystem in the past two years, developing its custom ransomware based on the leaked LockBit 3.0 and Conti source code.

 

The group also offers customized payload generation and configuration options to affiliates through its RansomBay service. The advanced affiliate panel, according to the researchers, provides functionality for client management, build generation, team coordination, content publishing, and support ticket handling.

 

The group announced its arrival in December 2023 by disclosing the names of 22 victim companies on its data leak site and went on to routinely victimise dozens of organisations every month, with the total number of targeted businesses touching 363 by January 2026. In December alone, the group claimed to have victimised 35 businesses.

 

The group claimed its latest victim earlier in February, announcing on its data leak site that it breached HanseMerkur, a major German insurance group that reported €3 billion in revenue in 2025, and stole nearly 97 gigabytes of internal company data.

 

The group previously claimed attacks against several high-profile retail organisations, including the UK-based Co-op and Marks & Spencer, as well as the U.S. department store chain Belk. The group has also alleged a major data theft involving Mobilelink US, the largest authorised dealer for Cricket Wireless services, claiming the exfiltration of roughly 5 terabytes of data.

 

The ransomware group’s operators have strived hard to differentiate the entity from rival ransomware operators, maintaining a presence in popular portals like BreachForums, RAMP and Exploit, and recruiting affiliates and pentesters through offerings like DragonForce Ransomware cartel, RansomBay, Harassment Calling, and Data Analysis.

 

Over the past two years, security researchers have observed the ransomware group either developing adversarial relations with other groups or sharing tools and tactics with them to enhance the effectiveness of its operations.

 

The group has been observed using the same source code and ransom note as the BlackLock ransomware group, establishing communication channels with Qilin and Lockbit groups, and jointly running operations with a group known as Scattered Spider.

 

"DragonForce has been expanding its operational scope through attacks on other groups as well as through cooperative relationships, which is assessed as an effort to strengthen its position within the ransomware ecosystem," the researchers said.

 

According to Trend Micro, despite DragonForce growing into a well-established ransomware operator with hundreds of victims worldwide and a wide base of affiliates, it has been difficult to attribute the group’s connections to a specific nation-state or cartel. 

 

"Some reports suggest it has ties to an older Malaysian-based hacktivist collective that pivoted to RaaS, while others maintain that the ransomware operations is a separate entity altogether, despite sharing the same name," the company said. "If the former is true, the group’s roots date back to 2021, when DragonForce Malaysia started pushing its political message. On the other hand, DragonForce ransomware operations were first observed two years later in August 2023."