Every month, we take a look at a current ransomware threat actor. If you would like to receive this via email each month, click below to subscribe to the MOXFIVE mailing list.
Additional Threat Actor Spotlights are available on our Resources page >>
First observed in 2023, DragonForce is an active ransomware group that initially operated under a traditional Ransomware-as-a-Service (RaaS) model. Affiliates were provided access to customizable ransomware based on a leaked LockBit 3.0 builder and modified ContiV3 code, in exchange for approximately 80% of ransom payments collected. Recently, DragonForce announced a significant shift in their operations, moving toward a "ransomware cartel" model that offers affiliates the ability to launch fully branded attacks while leveraging shared infrastructure for backend operations, leak site hosting, and negotiation management. This shift reflects an evolution from traditional RaaS operations, where affiliates typically relied on standardized tooling and branding, to a more flexible model that supports greater autonomy across affiliate operations.
This change is notable because it signals a broader trend toward specialization and operational independence within the ransomware ecosystem. Under the cartel structure, affiliates can potentially supply their own malware, customize branding, and focus on specific areas such as initial access, negotiations, or data exfiltration, rather than relying on a single unified platform. By lowering technical barriers for less experienced actors and offering infrastructure support to more advanced affiliates, the model broadens DragonForce’s appeal and introduces new complexities.
MOXFIVE has observed a steady increase in DragonForce ransomware activity throughout 2025. The group has been linked to several high-profile attacks and has actively recruited affiliates, particularly during periods when competing leak sites, such as RansomHub, experienced service disruptions. As part of its recent transition, DragonForce temporarily took its dedicated leak site offline for updates, signaling continued investment in platform scalability. Affiliates employ a double extortion model, combining file encryption with the exfiltration of sensitive data to pressure victims into ransom payment.
Figure 1: DragonForce data leak site taken down for updates.
Key Highlights
Industry Insights: As of this report date, DragonForce has impacted organizations across multiple industries throughout 2025. The top affected sectors include Manufacturing & Production, Construction & Engineering, Technology, Healthcare, and Food & Beverage, with Manufacturing & Production representing the largest share of observed incidents.
In the United States, DragonForce activity has been heavily concentrated against Manufacturing & Production and Technology organizations.
Global Insights: DragonForce ransomware activity has predominantly impacted organizations within the United States, with additional incidents observed across Europe and the Asia-Pacific region.
Initial Access Trends: DragonForce affiliates have employed multiple vectors to gain initial access to victim environments.
Observed methods include:
Affiliates deploying DragonForce ransomware have recently exploited vulnerable or improperly secured VPN services, particularly in cases where Multifactor Authentication (MFA) was not enforced.
Encryption and Exfiltration: DragonForce affiliates employ a double extortion model, combining data encryption with the exfiltration of sensitive information to pressure victims into payment. Affiliates use customized ransomware variants based on the LockBit 3.0 builder and a modified Conti fork, allowing them to tailor encryption parameters during attacks. Encrypted files are appended with the extension .dragonforce, and a ransom note is dropped directing victims to a payment site hosted on the Tor network.Prior to encryption, affiliates exfiltrate data such as internal documents, credentials, and customer records. Victims who do not meet ransom demands risk having their stolen data published on DragonForce’s dedicated leak site (DLS).
Tooling and Execution: DragonForce affiliates have leveraged a variety of publicly available tools to support different stages of attack execution, including:
Tool usage varies across incidents, reflecting the flexibility affiliates have in selecting techniques based on the environment compromised.
If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.