DragonForce Ransomware Cartel Hits Four New Victims in U.S. and UAE

Date: November 21, 2025

A major escalation in DragonForce’s ransomware operations has been reported: the group claims four new victims within the past 48 hours, with targets spread across the United States and the United Arab Emirates. Analysts suggest the incidents reflect DragonForce’s growing reach and its evolving “cartel” model, which empowers affiliates to operate under the DragonForce banner while using customized payloads.

Who the Victims Are

The newly listed victims include a high-profile telecommunications operator in the UAE, as well as several U.S.-based companies in technology, professional services and infrastructure. One confirmed victim is a telecommunications giant in the UAE, whose systems DragonForce claims it has encrypted. The other U.S. firms have yet to publicly disclose the full scope of damage, but DragonForce’s leak-site announcement indicates successful encryption and data exfiltration.

These attacks underscore DragonForce’s increasing sophistication: instead of deploying a single generic encryptor, the group is now using a distributed affiliate model, providing partner operators with customized encryptors and infrastructure. This shift allows DragonForce to scale more rapidly, target a broader set of industries, and compartmentalize risk across different affiliates.

Attack Methods & Tactics

Security researchers who have tracked DragonForce note several emerging TTPs (tactics, techniques, procedures) tied to the recent wave:

• Supply-chain and affiliate diversification: Affiliates appear to be leveraging vendor and third-party connections to break into corporate networks. DragonForce’s “cartel” model provides flexible tooling and infrastructure to these affiliates, enabling asymmetric deployment strategies.
• Custom payloads: Rather than a one-size-fits-all ransomware binary, affiliates receive tailored payloads with different evasion, persistence, and encryption options—making detection and signature-based defense harder.
• Double-extortion leverage: After encrypting victim systems, DragonForce-affiliated actors are threatening to publish stolen data, combining traditional ransomware with data-leak extortion to pressure victims into paying.
• FAST cryptographic drivers: Some affiliates reportedly use bring-your-own vulnerable driver (BYOVD) techniques to bypass security agents and terminate defensive processes, accelerating encryption.
• Decentralized infrastructure: Command-and-control (C2) and data-exfiltration servers appear to be distributed across multiple regions, helping affiliates evade takedown efforts and maintain redundancy.

Impact & Consequences

The impact of these attacks could be significant. For the UAE telecom operator, disruption could affect millions of customers and critical infrastructure services, potentially leading to service outages and reputational damage. For U.S.-based businesses, encryption of sensitive systems and the threat of data leaks raise serious operational and compliance risks.

If DragonForce follows through on its double-extortion tactic, the publication of stolen data could lead to serious financial and regulatory fallout for the affected companies. Clients and partners of the victims may also be exposed indirectly, depending on the nature and sensitivity of the exfiltrated data.

Industry & Analyst Response

Cybersecurity experts are closely watching these developments. Many view the “cartel” rebranding of DragonForce as a turning point: rather than a centralized RaaS operator, DragonForce is now positioning itself as a platform for other threat actors to plug into, providing infrastructure, encryption tools and operational tradecraft.

Industry practitioners warn that this model could result in greater volume and velocity of ransomware attacks, because lower-skill affiliates can leverage DragonForce’s infrastructure without building everything from scratch. The distributed model also makes it more difficult for defenders to predict where the next compromise will come from.

Mitigation & Recommended Defenses

In light of these attacks, organizations—especially in high-risk sectors—are urged to adopt or reinforce the following measures:

• Segment critical systems and enforce least-privilege access for third-party and vendor accounts.
• Deploy advanced threat-hunting and endpoint detection, with a focus on unusual cryptographic drivers and behavior indicative of BYOVD techniques.
• Maintain immutable and off-site backups, and validate that backups are clean and recoverable.
• Test incident-response plans for ransomware recovery, including negotiation, remediation and communication to stakeholders.
• Share indicators of compromise (IoCs) with sector peers, CERTs and threat-intelligence communities to coordinate detection and disruption of affiliate infrastructure.

What’s Next & Outlook

As DragonForce continues to scale and evolve, defenders must adjust accordingly. The cartel-style structure suggests that affiliates will proliferate and new payload variants will emerge. Security teams should assume that DragonForce-affiliated actors may target a broader range of industries, especially those with high-value data.

On the offensive side, law-enforcement agencies and intelligence services may find it more challenging to disrupt DragonForce as it decentralizes control across affiliates. The group’s ability to adapt, recruit and distribute tooling means that takedown efforts will need to be coordinated globally and across jurisdictions.

Conclusion

The announcement of four new DragonForce ransomware victims in the U.S. and UAE marks another escalation in the threat posed by this evolving cartel. The affiliate-friendly model, diverse payloads and double-extortion tactics make DragonForce a formidable and flexible adversary. Security teams must respond aggressively, focusing on prevention, detection and recovery to mitigate the long-term risk posed by this rapidly scaling ransomware operation.