DragonForce Ransomware Cartel: Multi-Sector Targeting with Dual-Platform Encryption

DragonForce is a ransomware-as-a-service group first observed in August 2023 that evolved into a cartel model in March 2025, operating as an umbrella organization where other ransomware brands run under shared infrastructure, including negotiation portals, leak sites, and encryptor tooling, in exchange for up to 80 percent of ransom proceeds. The group has shown a deliberate push toward high-profile entities and supply-chain service providers to maximize leverage through victim visibility and downstream impact, a strategy that drew significant attention through a series of UK retail attacks in 2025 in which Scattered Spider served as an initial access broker. In August 2025 the group further lowered the affiliate barrier by introducing a fee-based service providing extortion scripts and management letters for targets with annual revenues above $15 million.

Affiliates gain initial access by exploiting unpatched internet-facing appliances, with documented targeting of Ivanti Connect Secure and SimpleHelp RMM vulnerabilities, as well as Log4Shell and valid compromised accounts. Once inside, Mimikatz and LaZagne are used to harvest credentials from LSASS memory and SAM registry hives, and AdFind maps the domain before privilege escalation and lateral movement over RDP and PsExec begin.

Defense evasion relies on bring-your-own-vulnerable-driver techniques, using tools like PCHunter and ProcessHacker to disable endpoint protection at the kernel level, alongside registry modifications that disable Windows Defender. Data is staged and exfiltrated to MEGA.nz before the encryption phase, which begins with Volume Shadow Copy deletion and boot recovery changes via bcdedit. Separate encryptors are then deployed for Windows and Linux/ESXi environments, with the ESXi variant targeting virtual machine storage under /vmfs/volumes.