DragonForce Ransomware: Emerging Tactics and Recent Surge in Global Attacks

In the ever-evolving world of cyber threats, ransomware groups continue to adapt and innovate, posing significant risks to organizations across various sectors. One such group that has gained notoriety in recent years is DragonForce, a Ransomware-as-a-Service operation that has been active since 2023. Known for its sophisticated tactics and aggressive extortion strategies, DragonForce has targeted a wide array of victims, from financial institutions to manufacturing companies. This article delves into the group's background, operational methods, recent activities, and the broader implications for cybersecurity.

Background and Evolution of DragonForce

DragonForce first emerged in August 2023, initially using a variant of the leaked LockBit 3.0 builder to carry out attacks. The group quickly distinguished itself by focusing on critical sectors, including retail, manufacturing, and financial services. By 2024, DragonForce had launched an affiliate program, offering participants up to 80 percent of ransom proceeds along with tools for managing attacks, automation, and customization. This model encouraged rapid expansion, allowing affiliates to conduct intrusions while the core operators provided the necessary infrastructure and ransomware payloads.

In July 2024, DragonForce released its own ransomware variant based on the Conti V3 codebase, marking a shift from borrowed tools to proprietary development. By March 2025, the group adopted a "cartel" model, where affiliates could build their own brands while leveraging DragonForce's resources. This evolution culminated in August 2025 with the introduction of a "data analysis service" aimed at organizations with annual revenues exceeding 15 million US dollars. For a fee ranging from 0 to 23 percent of the ransom, affiliates received tailored extortion materials, including call scripts and detailed reports on stolen data.

The group's origins remain somewhat murky, with potential links to a Malaysian hacktivist collective from 2021. However, DragonForce Malaysia has publicly denied any involvement in the ransomware operations. Despite these uncertainties, DragonForce has shown remarkable adaptability, incorporating elements from other notorious groups like Conti and collaborating with initial access brokers such as Scattered Spider.

Tactics, Techniques, and Procedures

DragonForce employs a multi-platform approach, targeting Windows systems, Linux servers, VMware ESXi virtualized infrastructure, and network-attached storage devices. The ransomware uses symmetric cryptography for file encryption and asymmetric cryptography for key management. Before encryption begins, the malware terminates processes and services that could interfere with the operation, ensuring maximum disruption.

Files are renamed with campaign-specific extensions, such as .dragonforce_encrypted or .locked, and ransom notes are dropped in affected directories, typically named README.txt. These notes direct victims to a Tor-based portal for negotiations. DragonForce's double-extortion strategy is central to its operations: not only do they encrypt files to lock systems, but they also exfiltrate sensitive data beforehand, threatening to leak it on dedicated dark web sites if demands are not met.

Initial access is achieved through a variety of methods, including phishing and social engineering to obtain credentials, exploitation of exposed services like Remote Desktop Protocol, and abuse of vulnerabilities in remote monitoring and management software. Notable vulnerabilities exploited include those in SimpleHelp RMM (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728), Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893), and the infamous Log4Shell (CVE-2021-44228).

Once inside a network, attackers escalate privileges using tools like Mimikatz and LaZagne for credential dumping, and token impersonation for higher access. Lateral movement is facilitated by protocols such as RDP, SMB, PsExec, and WMI. Discovery phases involve utilities like AdFind and PassView to map the environment and identify valuable data. Exfiltration occurs via services like MEGA.nz, FTP/SFTP, or HTTP servers, often supported by command-and-control tools like Cobalt Strike and SystemBC.

To evade detection, DragonForce uses Bring Your Own Vulnerable Driver techniques, loading drivers like truesight.sys or rentdrv2.sys to disable security software. The group also deletes shadow copies, changes wallpapers to display ransom messages, and inhibits system recovery to pressure victims into paying.

• Flexibility in Payloads: Multivariant payloads allow quick adaptation to different environments, evading signature-based defenses.
• Affiliate Variations: While core tactics remain consistent, affiliates introduce variations, making attribution challenging.
• Target Selection: Focus on high-revenue organizations ensures larger potential payouts.

Recent Activities and Surge in Attacks

As of January 2026, DragonForce has continued its aggressive campaign, adding multiple victims to its leak sites in the first few weeks of the year. The group's activity shows no signs of slowing down, with a particular emphasis on North American and European targets. In the last 30 days leading up to January 24, 2026, DragonForce has claimed over 20 new victims, demonstrating a surge in operations.

Key recent additions include Uinta Bank, a community bank based in Mountain View, Wyoming, USA, added on January 22, 2026. Established in 1919, Uinta Bank serves local communities with various financial services. The attack likely involved data exfiltration, threatening the exposure of sensitive customer information. Just days earlier, on January 16, 2026, JR Advertising Specialties Inc., a provider of promotional products, and NWIMS IT Group, an IT services company, were listed. These attacks highlight DragonForce's interest in small to medium-sized enterprises that may lack robust cybersecurity defenses.

On January 15, 2026, Soteck, a Canadian firm specializing in air treatment, automation, industrial refrigeration, and energy efficiency based in Victoriaville, Quebec, fell victim. Earlier in the month, on January 2, 2026, United Business Systems (UBS Office), a document management specialist, and SINBON Electronics Co., Ltd., a Taiwanese electronic components manufacturer partnering with giants like Apple and HP, were targeted. Barnes & Jones, an engineering firm with roots dating back before the 20th century, was added on January 1, 2026.

This pattern of attacks in January 2026 builds on a busy December 2025, where victims included NK Technologies (current sensing technology), Neurological Associates (a Washington-based neurology clinic), BMW Guatemala, and others. The diversity of targets - from banks and IT firms to automotive dealers and healthcare providers - underscores DragonForce's opportunistic approach.

Notable from late 2025 are high-profile UK retail attacks, including Marks & Spencer, which suffered a seven-week suspension of online orders and a reported 300 million British pounds in operating profit loss. Similar incidents affected Co-op and Harrods, leading to arrests by the UK National Crime Agency in July 2025. These events illustrate the group's capability to cause widespread disruption.

Impact on Victims and Industries

The consequences of DragonForce attacks extend beyond financial ransoms. Victims face operational downtime, data breaches, reputational damage, and potential legal repercussions from exposed sensitive information. For instance, the Yakult Australia attack in December 2023 involved the leakage of employee records and internal documents, eroding trust. In the financial sector, like the recent Uinta Bank incident, customer data exposure could lead to identity theft and regulatory fines.

Industries most affected include manufacturing, retail, healthcare, and technology. Manufacturing firms like Soteck and SINBON experience supply chain interruptions, while retail giants face revenue losses from halted online services. Healthcare providers risk patient data leaks, compromising privacy and care delivery. The group's focus on critical infrastructure amplifies these impacts, potentially affecting national security in cases involving government-related entities.

Economically, ransomware attacks contribute to billions in global losses annually. DragonForce's double-extortion model increases pressure, as even if systems are restored from backups, the threat of data leaks persists. This has led to a rise in cyber insurance premiums and forced organizations to invest heavily in defenses.

Prevention and Mitigation Strategies

To counter DragonForce and similar threats, organizations must adopt a multi-layered security approach. Regular vulnerability scanning and patching are essential, particularly for known exploits like those in Ivanti and SimpleHelp software. Implementing multi-factor authentication, least-privilege access controls, and network segmentation can limit lateral movement.

Employee training on phishing recognition and secure practices is crucial, as social engineering remains a primary entry point. Advanced endpoint detection and response tools, powered by AI and machine learning, can identify anomalous behavior early. Regular backups - tested and stored offline - enable recovery without paying ransoms.

Monitoring for indicators of compromise, such as unusual logins or data exfiltration attempts, and conducting red-team exercises simulate real attacks to strengthen defenses. Collaboration with threat intelligence services provides insights into emerging tactics, allowing proactive measures.

Conclusion

DragonForce represents a formidable player in the ransomware ecosystem, with its innovative business models and technical prowess driving a surge in attacks. As seen in the recent January 2026 victims, the group continues to exploit weaknesses across global industries, causing significant harm. By understanding their tactics and implementing robust defenses, organizations can mitigate risks and contribute to a more secure digital landscape. The fight against ransomware requires vigilance, investment, and cooperation to stay ahead of evolving threats.