Threat Groups

DragonForce Threat Actor Profile

Overview

DragonForce is a cyber threat group that has rapidly evolved from hacktivist beginnings into a prolific ransomware operation. Active since mid-2023, it initially engaged in ideologically driven attacks but later shifted focus to financially motivated extortion. In recent months, DragonForce has made headlines by claiming responsibility for disruptive cyberattacks against major UK retailers including Marks & Spencer (M&S), the Co-op supermarket, and luxury store Harrods. The gang employs a multi-extortion model: not only do they encrypt victims’ data, but they also steal sensitive information and threaten to leak it on their dark web site if ransoms are not paid. As of May 2025, DragonForce’s leak site listed over 150 victim organisations globally, marking it as one of the most active ransomware groups of the past year.

Origin and Evolution

DragonForce traces its roots to a Malaysian hacktivist collective known as DragonForce Malaysia, which rose to prominence around 2021. This group aligned with pro-Palestinian causes and carried out politically motivated cyber-attacks such as website defacements, denial-of-service (DDoS) attacks, and data leaks targeting Israeli entities. Building on that notoriety, the threat actors pivoted in August 2023 to launch a ransomware-as-a-service (RaaS) operation under the DragonForce name. Early ransomware payloads were created using leaked LockBit 3.0 (aka “LockBit Black”) code repurposed under the DragonForce brand. Over late 2023, the crew expanded its reach, breaching multiple victims worldwide and leaking massive troves of data – for example, on Christmas Eve 2023 they dumped personal information on over 500,000 individuals from one organisation, highlighting the group’s rising impact.

By mid-2024, DragonForce’s operators formally launched an affiliate programme to scale their operations. This move opened their platform to other cybercriminals, providing affiliates with tools to customize ransomware payloads and manage campaigns via DragonForce’s portal. Around the same time, the group began referring to itself as a “ransomware cartel,” foreshadowing plans to let affiliates operate under their own brands. DragonForce developers also iterated on their malware arsenal: in mid-2024 they introduced a new strain based on leaked Conti v3 source code, incorporating enhancements like faster file encryption (using the ChaCha8 algorithm) and even a “Bring Your Own Vulnerable Driver (BYOVD)” technique for evading security. This bespoke Conti-based variant, alongside the original LockBit-based locker, gave the group a dual toolkit to attack victims.

Tactics, Techniques, and Procedures (TTPs)

DragonForce and its affiliates employ a broad range of tactics to breach targets and maximize damage:

  • Initial Access: The group often gains entry via phishing and exploitation of known vulnerabilities. Many intrusions begin with spear-phishing emails carrying malicious attachments or links, tricking users into running malware or revealing credentials. In addition, DragonForce aggressively targets exposed remote services – for instance, using stolen or brute-forced credentials to access Remote Desktop Protocol (RDP) and VPN systems. They have been observed scanning for and exploiting unpatched internet-facing applications; notable exploits include the Apache Log4j “Log4Shell” flaw and multiple Ivanti Pulse Secure VPN vulnerabilities that provided footholds into victim networks.
  • Post-Exploitation Tools: Once inside a network, DragonForce operators deploy an array of commodity hacking tools and malware. They frequently use Cobalt Strike beacons for command-and-control and to coordinate the attack across compromised machines. For credential theft, they employ tools like Mimikatz to dump passwords from memory, and they utilise scanners such as Advanced IP Scanner and PingCastle to map out the victim’s Active Directory environment. The attackers also install backdoors for persistence; notably, DragonForce has been seen deploying the SystemBC malware, which provides a SOCKS5 proxy tunnel for stealthy communication and lateral movement within victim networks. These tools and malware allow the group to escalate privileges and pivot across the IT environment while evading detection.
  • Lateral Movement & Privilege Escalation: DragonForce affiliates leverage valid accounts and built-in administrative tools to move laterally (“living off the land”). In one early case, attackers used stolen domain logins to access an exposed RDP server, then ran PowerShell scripts to download a Cobalt Strike payload and establish persistence via SystemBC. They commonly attempt to disable security software and harvest additional credentials as they spread through the network. The group also targets backup systems and Volume Shadow Copies, trying to delete or encrypt them to hinder recovery efforts. Victim reports and forensic analyses indicate that DragonForce operatives often create new accounts or use tools like net commands and PSExec for lateral movement, while concealing their tracks by clearing logs and using encrypted communication channels.
  • Ransomware Deployment & Extortion: After infiltrating a victim’s environment and exfiltrating sensitive data, the attackers deploy the DragonForce ransomware payload across Windows and Linux systems, and even VMware ESXi servers and NAS storage if present. The malware encrypts files and typically appends a telling extension (one variant, for example, adds “*.dragonforce_encrypted” to filenames). Affiliates can customise the ransom note and file extension, especially now that DragonForce offers “white-label” options, which can make each attack appear as a unique ransomware strain. Alongside encryption, large volumes of data are stolen to be used as leverage. Victims receive ransom notes directing them to a Tor hidden service (the DragonForce/“DragonLeaks” or RansomBay site) where payment is demanded in cryptocurrency and a countdown to data publication is given. If the ransom is not paid, DragonForce follows through by leaking the stolen data on its site to pressure the victim and signal to others that non-payment has consequences. This double-extortion approach is a hallmark of the group’s technique, maximizing the potential harm to victims.

Notably, DragonForce maintains a code of conduct for its affiliates’ operations. The gang explicitly prohibits any attacks against hospitals (especially those treating critical patients, children or the elderly) and discourages targeting critical infrastructure that could endanger lives. The affiliates are also instructed not to hit organisations in Russia or other Commonwealth of Independent States (CIS) countries, a rule common among many Eastern European cybercrime groups. DragonForce claims it will “punish” partners who violate these rules. This suggests the group wants to project a pseudo-ethical stance (avoiding indiscriminate harm), as well as to steer clear of provoking certain law enforcement bodies.

Targeting Profile

Geographic reach: DragonForce’s victimology is truly global. In its first year, over half of the victims listed on the group’s leak site were based in the United States, with a significant number also in Europe and the Asia-Pacific region. The group’s hacktivist roots are reflected in some regional targeting choices: for instance, a notable number of DragonForce attacks have hit organisations in Israel, India, and Saudi Arabia. These countries are presumed to be of interest due to political or ideological motivations (e.g. support for causes aligned against Israel). At the same time, DragonForce is opportunistic – it has struck victims in dozens of countries regardless of ideology, whenever financial gain is to be had.

Sector focus: The gang’s targets span a broad range of industries. Government agencies and public sector bodies have been attacked (including a national government in the Pacific), as well as companies in manufacturing, transportation, real estate, finance, healthcare, and retail. DragonForce shows a particular penchant for organisations holding sensitive personal or legal data: law firms and medical clinics have been heavily targeted, likely because the potential fallout from data leaks (exposing client or patient information) can pressure these victims into paying ransoms. Critical infrastructure has not been off-limits either – the group has hit transportation and utility sectors on occasion (for example, a public transit authority in the US).

Recent focus on UK retail: In April 2025, DragonForce turned its attention to Britain’s high street. Within the span of days, ransomware incidents struck M&S, the Co-op, and Harrods, causing major disruptions. M&S had to suspend online shopping and grapple with significant IT outages, while Co-op’s back-office systems and call centres were affected. Harrods pre-emptively restricted network access after detecting intrusion attempts. DragonForce boasted of orchestrating these attacks, and investigators believe an affiliate of the group was indeed behind the breaches. In Co-op’s case, the retailer confirmed that a “significant number” of current and past members’ data was accessed and stolen during the attack – indicating that DragonForce not only disrupted operations but also obtained valuable customer data for extortion. The UK retail campaign underscores the group’s capability and willingness to hit high-profile targets in pursuit of large pay-outs and publicity.

Excluded targets: As noted, DragonForce enforces certain targeting restrictions. The gang forbids strikes on hospitals treating vulnerable populations, in an effort to avoid endangering lives. They also ban attacks on organisations in Russia and former Soviet states. The latter is a common practice among Russian-speaking ransomware crews, often meant to deter attention from Russian authorities. While it’s unclear if DragonForce’s core members are actually based in Russia, this self-imposed rule suggests a desire to operate unhindered by any “home turf” crackdowns. In essence, DragonForce positions itself as a group that primarily preys on large corporations and government-aligned entities (“those with dirty hands,” as a purported DragonForce statement put it) while avoiding targets that might generate intense backlash or cross certain ethical lines.

Notable Campaigns and Victims

  • 2021–2022 – Hacktivist Campaigns: Before its ransomware era, DragonForce gained attention through hacktivist operations. Under the banner of OpsBedil, DragonForce Malaysia and allies like the T3 Dimension Team coordinated cyber-attacks against Israel in retaliation for geopolitical events. These attacks involved mass website defacements, DDoS disruptions, and leaks of stolen data, all justified by the group as protest against Israel’s actions. This period established DragonForce’s ideological persona and technical skills, setting the stage for its later transition to cybercrime.
  • Late 2023 – Major Data Leaks: As DragonForce shifted to extortion, it executed some of its most consequential data breaches in late 2023. On 24 December 2023, the gang released a cache of personal data on over 500,000 individuals from a compromised organisation, inflicting reputational and regulatory damage to the victim. Around the same time, DragonForce claimed another breach involving a credential-stuffing attack that exposed roughly 567,000 user accounts from a different target. These incidents, coming around the holidays, showcased DragonForce’s willingness to publish massive datasets and signaled that it had become a serious data extortion threat.
  • Early 2024 – Attack on Critical Infrastructure: In early 2024, DragonForce set its sights on the public sector. One notable victim was Honolulu’s Oahu Transit Services (OTS), the public transportation agency for the city. DragonForce operatives infiltrated OTS and exfiltrated hundreds of gigabytes of passenger and operational data. The attack disrupted services and raised alarms about the group’s capability to impact critical infrastructure. This marked a shift from purely corporate targets to also include public utilities, blending the group’s political swagger (a strike on a city service) with financial extortion motives.
  • Mid 2024 – Global Breaches: Throughout 2024, DragonForce racked up victims across multiple continents. The group was linked to an attack on the Government of Palau, a small Pacific island nation, demonstrating no target was too remote. In the private sector, DragonForce hit companies like Coca-Cola’s Singapore division, the Ohio State Lottery in the US, and Yakult Australia, among others. In each case, the pattern was similar: network intrusions followed by ransomware deployment and data theft, with the stolen data later listed on DragonForce’s leak site. These diverse victims underscored the group’s broad targeting and its affiliates’ autonomy in choosing prey.
  • April 2025 – UK Retail Chain Attacks: The most high-profile campaign attributed to DragonForce to date has been the spring 2025 assault on British retailers. In late April 2025, Marks & Spencer, Co-op, and Harrods all fell victim to ransomware attacks within days of each other. M&S was forced to take the drastic step of suspending all online orders, as its IT systems were crippled and recovery efforts dragged on. Co-op initially reported outages in its back-office and call centre, and later admitted that hackers accessed a database containing information on a large number of its members (names, contact details, and more). Harrods, meanwhile, detected the intrusion early and temporarily cut off internet access across its stores to contain the threat. DragonForce’s role was confirmed when the gang posted about these breaches on its leak site and by boasting to media. The UK National Cyber Security Centre also became involved, warning the retail sector of the threat. This coordinated attack spree against well-known companies not only caused operational and financial damage, but also signaled DragonForce’s emergence as a top-tier ransomware actor on the international stage.

Technical Indicators

DragonForce’s operations leave behind various indicators that defenders can watch for:

  • Ransomware Variants: The group currently uses two main ransomware codebases. One is a fork of the LockBit 3.0 (Black) ransomware builder, which was used in DragonForce’s early attacks. The other is a customised fork of the Conti ransomware (specifically Conti v3) which comes with advanced features integrated by DragonForce, such as a BYOVD capability and improved encryption routines. Both variants are deployed under the DragonForce banner, though the gang’s new “white-label” scheme means affiliates may rename the ransomware in each campaign. Despite rebranding, these payloads share common lineage – for example, analysts have noted the “.dragonforce_encrypted” file extension in some attacks (a default that affiliates can modify). The malware also generates ransom note files (commonly in each directory) that direct victims to DragonForce’s leak/payment site; the exact filename can vary per affiliate, but security firms have catalogued the hashes of these notes to aid detection.
  • Cross-Platform Targeting: DragonForce provides its affiliates with builders that can output ransomware for multiple operating systems. Samples have been seen targeting Windows, Linux, VMware ESXi, and even NAS devices. This multiplatform capability means the presence of unusual ELF (Linux) or ESXi-targeting binaries alongside Windows malware on a victim network could indicate DragonForce involvement. Similarly, the group’s Linux encryptors are often designed to target VMware virtual machines – for instance by terminating VM processes before encryption – tactics reminiscent of other major ransomware gangs.
  • Network Artifacts: Evidence of certain tools and behaviors can serve as DragonForce indicators. The use of SystemBC backdoor malware on a network (especially in conjunction with a ransomware incident) is one possible sign, since DragonForce has leveraged SystemBC frequently for persistence. If Cobalt Strike beacons or Meterpreter/Brute Ratel shells are detected in an environment that subsequently experiences a ransom event, they could be associated with a DragonForce affiliate’s foothold. The group’s intrusions have also been correlated with Mimikatz execution for credential dumping (look for Event Log entries or memory scans indicating LSASS access). Network scanning activity from tools like Advanced IP Scanner or PingCastle (which queries Active Directory for vulnerabilities) is another clue, as these have been part of DragonForce’s toolset. Unusual RDP login attempts, especially from foreign IP addresses or using previously unseen accounts, preceding a ransomware attack, may likewise point to DragonForce given their penchant for RDP-based ingress.
  • Leak Site and Communications: DragonForce operates a dedicated leak site on the dark web (known originally as DragonLeaks, now rebranded to RansomBay in 2025). The site is used to name-and-shame victims and publish stolen data. If a newly emerging leak site uses the DragonForce/RansomBay branding or features the group’s distinctive graphics and phrasing, that is a clear indicator of DragonForce activity. The gang’s Tor negotiation portal and victim communication pages may also contain unique markers – for example, DragonForce might reference its “cartel” or include its mascot/logo in HTML content. Monitoring threat intelligence for mentions of a victim on DragonForce’s site can provide early warning that an attack was by this group. In some cases, law enforcement and security researchers have found that DragonForce posts “press releases” on underground forums or via Telegram boasting about certain attacks; such chatter is another indirect indicator linking an incident to the group.
  • Cryptocurrency Wallets: While specific wallet addresses frequently change, organisations tracing ransom payments have noted that DragonForce affiliates deposit funds into wallets that then often funnel through mixers or known exchange accounts. If a ransom demand directs payment to a wallet that has been flagged in past DragonForce cases, it strengthens attribution. However, due to the affiliate model, there may not be a single consistent wallet or coin – affiliates could use their own wallet addresses, with the gang taking its 20% cut afterward through an internal ledger.

In summary, a combination of technical signs – the presence of DragonForce’s malware (LockBit/Conti variants), use of certain attack tools, and the appearance of the victim’s data on the RansomBay leak site – are strong indicators of this group’s handiwork. Security teams and threat hunters should correlate these indicators with known DragonForce TTPs to confidently identify an intrusion by this actor.

Defensive Measures and Recommendations

Given DragonForce’s aggressive tactics and evolving techniques, organisations should adopt a multi-layered defensive strategy. The following measures can help prevent DragonForce attacks or mitigate their impact:

  • Harden Email Security & User Awareness: Improve phishing defenses as many DragonForce breaches originate via malicious emails. Deploy advanced email filtering with sandboxing to catch malware attachments, and implement DMARC/SPF/DKIM to reduce spoofing. Regularly train staff to spot phishing and social engineering – users should be cautious with unexpected login prompts or unsolicited links. Conduct periodic phishing simulations to reinforce vigilance, since DragonForce affiliates are skilled at crafting convincing lures.
  • Enforce Strong Authentication (MFA): Enable multi-factor authentication on all remote access services and sensitive accounts (VPNs, RDP, email, cloud admin accounts, etc.). MFA significantly reduces the risk from stolen passwords – even if credentials are compromised through phishing or leaks, attackers will struggle without the second factor. Ensure no fallback to simple password logins. In addition, monitor for unusual authentication attempts; for instance, multiple failed VPN logins or MFA push prompts could indicate an attacker trying compromised credentials. Robust authentication can thwart the common DragonForce tactic of using credential dumps to penetrate networks.
  • Promptly Patch Known Vulnerabilities: Many DragonForce intrusions have leveraged known exploits, so timely patching is critical. Prioritise fixes for the specific vulnerabilities DragonForce has used historically, such as Log4j2 (CVE-2021-44228) and the series of Ivanti Pulse Secure VPN flaws (e.g. CVE-2023-46805, CVE-2024-21887, CVE-2024-21893). Also patch the Windows SmartScreen security bypass (CVE-2024-21412) which the group added to its toolkit. Establish a rapid update process for critical internet-facing systems – DragonForce often scans for unpatched servers to exploit. Regular vulnerability assessments or bug bounty programs can help catch exposed weaknesses before attackers do.
  • Lock Down RDP and Remote Access: Audit your organisation’s remote access points. If RDP is not absolutely required over the internet, disable or tightly restrict it (use VPN or remote gateways instead). For any public-facing remote services, ensure strong password policies and enable account lockouts or CAPTCHAs to thwart brute-force and credential stuffing attempts. Replace default or weak VPN credentials and ensure VPN software is up-to-date. Monitor authentication logs for spikes in login attempts or logins from unusual locations, as these can signal DragonForce’s attempts to gain entry. By reducing the attack surface of RDP/VPN, you significantly raise the effort required for DragonForce affiliates to breach your network.
  • Network Segmentation & Lateral Movement Controls: Limit how freely an intruder can traverse your internal network. Use network segmentation to isolate critical servers (e.g. domain controllers, database servers, backup storage) on separate VLANs with strict firewall rules. Apply the principle of least privilege so that compromising a single user account does not yield domain-wide access. DragonForce often tries to access and destroy backups, so store backups off-network or use immutable storage that ransomware cannot encrypt. Implement internal firewall policies to restrict RDP, SMB, and other admin protocols between hosts – this can slow or detect the lateral movement typical of DragonForce attacks. Monitoring for anomalous internal port scanning or multiple machines contacting a single host can also catch an attack in progress.
  • Endpoint Detection & Response: Deploy advanced EDR/XDR solutions on endpoints and servers to detect DragonForce’s telltale behaviors. For example, EDR can alert on suspicious processes like mimikatz scraping memory, unexpected PowerShell scripts spawning network tools, or the creation of new services and accounts (common when ransomware actors escalate privileges). Modern EDR products have behavioral ransomware detection that can halt encryption in progress – ensure these features are enabled and updated with the latest threat indicators for DragonForce. Use features like Microsoft’s Credential Guard or equivalent to harden LSASS against dumping. Effective endpoint monitoring can catch the preparatory stages of an attack, giving responders a chance to contain it before file encryption begins.
  • Active Directory Protection: Since DragonForce heavily targets Active Directory (AD) for credential harvesting and privilege escalation, take steps to secure AD. Limit the number of domain administrators and use separate admin accounts/workstations for elevated tasks Enable audit logging on domain controllers and routinely review logs for signs of DCsync attacks, Golden Ticket attempts, or abnormal account creations. Tools like PingCastle (which DragonForce uses) can be run by your own team to find AD weaknesses before the attackers do. Regularly update passwords for service accounts and ensure legacy protocols (like NTLMv1 or unsigned LDAP binds) are disabled to prevent abuse. By hardening AD, you can significantly impede DragonForce’s ability to fully compromise your environment even if they get an initial foothold.
  • Incident Response Preparedness: Given the potential impact of a DragonForce incident, organisations should have an up-to-date incident response plan specifically for ransomware. This includes offline backups, defined roles for decision-makers, and clear communication channels. Tabletop exercises simulating a DragonForce-style attack (with systems going down and data held hostage) can help teams practice their response and identify gaps. Engage with authorities like the NCSC or law enforcement early if an attack is suspected – in the UK retail cases, government cyber responders were involved to help mitigate the damage. Having contacts at the ready can speed up support during an actual crisis. Ultimately, a combination of preventive controls and prepared response will give organisations the best chance to thwart or recover from a DragonForce attack.

Attribution and Alliances

Attributing DragonForce’s membership and backing is complex due to its dual nature and affiliate structure. The group’s core appears to be rooted in Malaysia – its initial incarnation as DragonForce Malaysia was openly based there, and many early members are believed to be Malaysian or from neighbouring Southeast Asian countries. The pro-Palestinian hacktivist ideology and collaboration with other Malaysian/Indonesian hacker crews (such as the T3 Dimension Team and RileksCrews during OpsBedil) further point to an Asia-Pacific origin. However, as DragonForce morphed into a RaaS operation, it began recruiting affiliates globally, blurring the geographical attribution. The gang’s forum posts and leak site announcements are often in English, but some interactions on underground platforms suggest Russian-language proficiency as well. In fact, DragonForce advertised its RaaS on the Russian hacker forum RAMP (Russian Anonymous Marketplace) in 2024. This indicates at least a willingness to work with Russian-speaking cybercriminals or to attract a wider pool of affiliates.

Despite adopting the common ransomware practice of forbidding attacks in Russia/CIS, there is no clear evidence that DragonForce is state-sponsored by Russia or based there. Rival groups have attempted to fan suspicions – for example, a member of the RansomHub gang accused DragonForce of collaborating with Russia’s FSB intelligence service. Yet security researchers note this claim is unverified and could be a smear tactic amid competition between ransomware outfits. Sophos analysts conclude it’s not possible to definitively pin DragonForce’s location; the gang could even be using the no-Russia rule as misdirection. In short, DragonForce’s true leadership likely remains outside Russia, but they are content to adopt Russian cybercrime community norms to broaden their operations and avoid trouble.

In terms of alliances, DragonForce’s evolution into a “cartel” means it has effectively formed alliances with numerous independent threat actors. Its affiliate program, launched in mid-2024, has attracted criminals ranging from novice hackers to possibly members of other dissolved ransomware crews. Each affiliate partnership is a business arrangement: affiliates conduct the breaches and ransomware deployment, while DragonForce provides the malware, infrastructure, and negotiation/leak services, taking roughly a 20% share of proceeds. This profit-sharing model (80% to the affiliate) is relatively generous and is designed to entice a large network of collaborators. Indeed, as other RaaS operations fell apart in late 2024 and early 2025 (due to arrests or internal disputes), DragonForce positioned itself as an attractive new home for “orphaned” ransomware actors By branding itself as a ransomware cartel, DragonForce signals an openness to cooperate with or absorb smaller gangs under its umbrella rather than directly competing. There are indications that some affiliates of notorious groups have used DragonForce’s platform to relaunch attacks under new names – effectively an alliance of convenience facilitated by the white-label service.

On the flip side, DragonForce’s rise has also put it at odds with other players. The public accusation by RansomHub (another ransomware crew) shows inter-gang rivalry. Additionally, by marketing itself so openly, DragonForce may draw the ire of established Russian ransomware syndicates who prefer a lower profile. Nonetheless, so far DragonForce has navigated these waters by expanding its network and avoiding direct confrontation with Russian interests. There are no known formal alliances between DragonForce and nation-state hackers; their activities appear financially driven and self-directed, aside from the residual hacktivist leanings in target selection.

Law enforcement attention is certainly zeroing in on DragonForce. The FBI listed DragonForce among the most prolific ransomware sources in 2024, and international investigations are likely underway as the group’s victim count grows. No arrests or doxxing of key members have been made public at this time, which suggests the operators are maintaining good operational security or residing in jurisdictions where they feel relatively safe. The group’s own statements indicate they are wary of spies or provocateurs in their affiliate ranks – the leadership recently restricted new affiliate sign-ups after suspecting someone violated their rules to make them look bad. Internal trust issues aside, DragonForce continues to thrive via its loose alliances with affiliates, straddling the line between an ideology-fuelled collective and an organised cybercrime enterprise.

Conclusion

DragonForce represents a new breed of hybrid threat actor – one that started with hacktivist ideals but has since embraced the lucrative business of ransomware. Over a short period, it has transformed from defacing websites for a cause into ransoming multinational companies for profit, all while maintaining a veneer of its original “ethical” stance (selectively avoiding hospitals and certain regions). The group’s recent blitz against UK retail giants demonstrates both its ambition and its growing capabilities. With a slick RaaS platform, a stable of affiliates, and a willingness to innovate (from exploiting fresh vulnerabilities to instituting a white-label model), DragonForce has quickly become a significant menace on the global cyber threat landscape.

Defending against DragonForce is challenging but not impossible. Their tactics often exploit known weaknesses – unpatched systems, poor credential security, and inadequate network segmentation – which organisations can address with due diligence. Moreover, the very strategies that make DragonForce effective (like lowering technical barriers for affiliates) can also be its weakness: less skilled affiliates may be more prone to mistakes that defenders can catch, and the group’s high profile could make it a prime target for law enforcement crackdowns. In the meantime, however, DragonForce’s blend of political fervor and profit motive is likely to continue blurring the lines between hacktivism and cybercrime. Businesses, especially in the sectors the group favors, should stay vigilant and proactively strengthen their security posture. The rise of DragonForce serves as a stark reminder that today’s hacktivist can become tomorrow’s ransomware kingpin – and that even ideologically tinged attackers are ultimately not beyond chasing a payday.

  • 21 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence