DragonForce is a ransomware group that emerged in late 2023 and has grown right into a severe risk to companies by combining information theft with file encryption.
The group makes use of twin extortion: it steals delicate information, encrypts methods, after which threatens to publish the stolen info on darkish internet leak websites if victims don’t pay.
DragonForce has focused a number of sectors, with a notable deal with manufacturing and building, and it has impacted high-profile organizations.
The group has additionally proven it could adapt rapidly by refining its tooling and shifting from devoted sufferer websites to a centralized area for internet hosting leaked information.
Cybereason notes this fast evolution helps hold DragonForce a persistent, rising threat worldwide.
RaaS platform and options
DragonForce operates as a ransomware-as-a-service (RaaS) platform that helps associates run assaults throughout Home windows, Linux, ESXi, BSD, and NAS methods.
The platform helps a number of encryption approaches (full, header, and partial encryption) and promotes automation for encryption, server administration, and assault execution.
Reported options embody delayed-start choices, multithreading for velocity, detailed logging, and a “dry-run” mode that checks an assault movement with out really encrypting information.
For ESXi environments, Cybereason highlights command-line and configuration choices that management concentrating on and conduct, together with file-system search modes, delay timers, thread counts, logging settings, and permits for paths, extensions, filenames, and digital machines.
These controls may help associates tailor impression (for instance, prioritizing VM infrastructure) whereas decreasing noisy failures that decelerate ransomware deployment.
DragonForce has introduced a strategic shift: associates can create their very own manufacturers underneath a “DragonForce ransomware cartel” umbrella and run their very own initiatives whereas nonetheless utilizing shared infrastructure and expertise.
The group additionally launched an automatic registration service for brand new associates, decreasing prior friction like approval steps, deposits, and vetting.
DragonForce has teased an upcoming product referred to as “DragonForce – Atom,” however didn’t publish technical particulars within the cited evaluation.
The identical reporting describes ecosystem “professionalization,” together with a “Firm Knowledge Audit” service meant to strengthen extortion by analyzing stolen information and producing negotiation supplies like threat studies, name scripts, and executive-facing letters.
DragonForce has additionally engaged in public disputes with different ransomware operations, together with claims and counterclaims involving RansomHub and the defacement of a competitor’s leak web site.
Cybereason additional notes claims of a relationship between DragonForce Malaysia and the ransomware group stay unsubstantiated, and DragonForce Malaysia publicly denied affiliation in October 2025.
What defenders ought to do
Cybereason noticed behaviors aligned with real-world ransomware playbooks, together with scanning SMB ports for reconnaissance and deleting Quantity Shadow Copies utilizing WMIC (for instance, wmic.exe shadowcopy the place “ID='{id}’” delete).
The evaluation states the Cybereason platform detected the DragonForce payload and blocked shadow-copy deletion and file encryption exercise.
Sensible steps advisable embody trying to find DragonForce affiliate pre-ransomware conduct, imposing MFA, sustaining sturdy patch administration, and making certain dependable backups and examined restore processes.
If suspicious exercise is discovered, the steerage advises rapidly involving Incident Response to research, comprise, and take away the risk actor.
For Cybereason Protection Platform customers, the report recommends enabling Anti-Malware, Anti-Ransomware (PRP) with shadow copy safety, Utility Management, and Variant Payload Prevention in stop mode.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most popular Supply in Google.
