First observed in 2023, DragonForce is an active ransomware group that initially operated under a traditional Ransomware-as-a-Service (RaaS) model. Affiliates were provided access to customizable ransomware based on a leaked LockBit 3.0 builder and modified ContiV3 code, in exchange for approximately 80% of ransom payments collected. Recently, DragonForce announced a significant shift in their operations, moving toward a "ransomware cartel" model that offers affiliates the ability to launch fully branded attacks while leveraging shared infrastructure for backend operations, leak site hosting, and negotiation management. This shift reflects an evolution from traditional RaaS operations, where affiliates typically relied on standardized tooling and branding, to a more flexible model that supports greater autonomy across affiliate operations.

This change is notable because it signals a broader trend toward specialization and operational independence within the ransomware ecosystem. Under the cartel structure, affiliates can potentially supply their own malware, customize branding, and focus on specific areas such as initial access, negotiations, or data exfiltration, rather than relying on a single unified platform. By lowering technical barriers for less experienced actors and offering infrastructure support to more advanced affiliates, the model broadens DragonForce’s appeal and introduces new complexities.

MOXFIVE has observed a steady increase in DragonForce ransomware activity throughout 2025. The group has been linked to several high-profile attacks and has actively recruited affiliates, particularly during periods when competing leak sites, such as RansomHub, experienced service disruptions. As part of its recent transition, DragonForce temporarily took its dedicated leak site offline for updates, signaling continued investment in platform scalability. Affiliates employ a double extortion model, combining file encryption with the exfiltration of sensitive data to pressure victims into ransom payment.

Figure 1: DragonForce data leak site taken down for updates.

Key Highlights

Industry Insights: As of this report date, DragonForce has impacted organizations across multiple industries throughout 2025. The top affected sectors include Manufacturing & Production, Construction & Engineering, Technology, Healthcare, and Food & Beverage, with Manufacturing & Production representing the largest share of observed incidents.

In the United States, DragonForce activity has been heavily concentrated against Manufacturing & Production and Technology organizations.

Global Insights: DragonForce ransomware activity has predominantly impacted organizations within the United States, with additional incidents observed across Europe and the Asia-Pacific region.

Initial Access Trends: DragonForce affiliates have employed multiple vectors to gain initial access to victim environments.
Observed methods include:

• Phishing Emails: Utilizing malicious attachments or links to deploy initial payloads.
• Exploitation of Public-Facing Applications: Targeting vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.

• Compromised Credentials: Leveraging valid domain credentials to access public-facing web servers.

Affiliates deploying DragonForce ransomware have recently exploited vulnerable or improperly secured VPN services, particularly in cases where Multifactor Authentication (MFA) was not enforced.

Encryption and Exfiltration: DragonForce affiliates employ a double extortion model, combining data encryption with the exfiltration of sensitive information to pressure victims into payment. Affiliates use customized ransomware variants based on the LockBit 3.0 builder and a modified Conti fork, allowing them to tailor encryption parameters during attacks. Encrypted files are appended with the extension .dragonforce, and a ransom note is dropped directing victims to a payment site hosted on the Tor network.Prior to encryption, affiliates exfiltrate data such as internal documents, credentials, and customer records. Victims who do not meet ransom demands risk having their stolen data published on DragonForce’s dedicated leak site (DLS).

Tooling and Execution: DragonForce affiliates have leveraged a variety of publicly available tools to support different stages of attack execution, including:

• Reconnaissance: Affiliates have used network and domain scanning utilities such as Advanced IP Scanner, PingCastle, SoftPerfect NetScan, Advanced Port Scanner, and RVTools to map infrastructure and identify Active Directory assets.
  
• Credential Access: Mimikatz has been employed to extract plaintext credentials and cached hashes from compromised systems.
• Remote Access and Lateral Movement: Remote administration tools including Atera, RustDesk, VNCViewer, and PuTTY have been deployed to maintain persistent access and move laterally within victim environments.
• Data Exfiltration: FileZilla and RClone have been utilized to transfer stolen data to attacker-controlled infrastructure prior to encryption.

Tool usage varies across incidents, reflecting the flexibility affiliates have in selecting techniques based on the environment compromised.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.