DragonForce Ransomware Cartel vs. Everybody

The story of the DragonForce Ransomware Cartel (DFRC, DragonForce) begins somewhere, but researchers can’t agree whether it started as a hacktivist group, a distinct new group, or a little of each. In fact, the more you dig into DFRC, the more obfuscated it becomes. It’s hard to find all the cool family history details in this story, and that’s exactly how they like it.

What’s in a name?

DragonForce is a cool name for a threat actor. Dragons are found in fantasy literature, roleplaying games (RPGs), online gaming and esports, subcultures like cyberpunk and manga, and the run of martial arts and eastern mythology. The dragon projects an image of danger and power, and it looms large in hacker subcultures. Adopting the DragonForce name allowed the ransomware group to leverage a symbol that commands respect.

It can also be helpful to share brand name with another group, because this can make post-attack investigations more challenging. This is certainly the case with DragonForce Ransomware, as you will see in the next section.

Did DragonForce Ransomware evolve from DragonForce Malaysia?

DragonForce Malaysia (DFM) is a hacktivist collective that targets governments and companies perceived as hostile to Islamic nations or supportive of Israel. They are strongly anti-western and have positioned themselves as defenders of the Islamic world. The group was first observed in May 2021, and by the end of 2023 they were coordinating attacks with other groups like Killnet and Anonymous Sudan. DFM is still active, but attacks remain at a low level except during significant events or holidays relevant to their cause.

DFRC was observed later, when they began listing victims and leaking stolen data on their dedicated leak site in 2024. Researchers noted that DragonForce pivoted to a ransomware-as-a-service (RaaS) model shortly thereafter.  In March 2025, DragonForce announced they would be operating as a cartel and invited other groups to join them.

So, is DFRC an evolution of the hacktivist group? There is some circumstantial evidence to support a connection. They both use 'DragonForce' in their names, which fuels some of the speculation around a connection and may cause confusion for researchers. Medusa ransomware is a good example of how shared or similar names can make threat actor research more difficult.

A second supporting point is that both DragonForce groups are said to have a connection to Malaysia. The hacktivist group operates in the region, and some researchers have thought the ransomware group may have ties to Malaysia because of its victim targeting patterns. A final supporting point is that both groups engage in disruptive attacks and data leaks.  

That’s the publicly available evidence pointing to a connection between the two groups. It doesn’t seem like much, but many researchers and industry sources support this conclusion.

Let’s now look at evidence against the connection. The first thing to consider is that DragonForce Malaysia has denied a connection to the ransomware group and has denied ever using ransomware in its attacks.

AI Translation:

DragonForce Malaysia

OFFICIAL STATEMENT: MOTIVE AND MODUS OPERANDI...

For your information, this is our official statement to refute the claims made by certain foreign articles about several recent attacks that are allegedly carried out by a group known as "dragonforce ransomware," which is also allegedly linked or related to DragonForce Malaysia.

We would like to clarify here that the goals of the group known as dragonforce ransomware are clearly at odds with our own objectives. It is very clear that they are more motivated by profit and operate with an extortionate nature, whereas DragonForce Malaysia, although we do not deny or confirm the existence of any such entity, has never been involved in or responsible for any attacks that are harmful or carry out such extortionate actions.

Our struggle is against oppression, not a struggle of extortion.

We also have never been baited by any form of "false flag" operations, whether from enemy parties or from within the country itself.

Sincerely,

Sees no evil, hears no evil, and speaks no evil.

~Dexter's~

The two groups also have distinct infrastructure and tactics, techniques, and procedures (TTPs), though this is expected when you consider the motivations for each group. For example, DFM has not been linked to any payment infrastructure, presumably because it does not engage in extortion. There is also no privilege escalation, credential access, or data exfiltration as you would see in a ransomware or financially motivated or nation-state espionage attack. Most DFM victims suffer the same fate as victims of other hacktivist groups, which is often business disruption and website defacements.

Another point to consider is that there appears to be no evidence of DFRC ties to Malaysia in terms of infrastructure, operator location, or command-and-control hosting. There are no verified Malaysian victims and there appear to be no known DFRC rules prohibiting attacks against companies in Malaysia. This isn't evidence that DFRC does not have ties to Malaysia, but it's relevant here because of the victim pattern evidence mentioned above.

There is also evidence linking DFRC to Russia and other countries in the Commonwealth of Independent States (CIS).

Evidence of Russian or CIS origins

There is no definitive conclusion that DragonForce Ransomware Cartel is based in or aligned with post-Soviet states, but there is some evidence:

• The group’s ransomware variants are based on leaked builders associated with Russian cybercriminal groups.
• DFRC uses tools like SystemBC, Mimikatz and Cobalt Strike, which are commonly used by Russian-speaking threat actors.
• DragonForce has actively engaged and advertised its services on the Russian Anonymous Market Place, or RAMP. Most users on RAMP communicate in Russian.
• Affiliate rules prohibit attacks on Russia and other former Soviet Union countries.

According to The Register, the rival ransomware group RansomHub accused DFRC of working as an agent of Russia’s Federal Security Service (FSB). There appears to be no substantial evidence to support or debunk the accusation. Some industry analysts believe that DFRC and similar groups do indeed work for the state, but they do so in a way that obfuscates the government’s role.

All this evidence could suggest a link to post-Soviet states, but it could also be interpreted as “best practices” for a group that wants to 1) recruit a lot of criminal affiliates and 2) use malware and techniques that have been known to work. 

Timeline of events

DragonForce Ransomware emerged as a ransomware group in late 2023 using ransomware payloads based on LockBit 3.0 and Conti source code. The Ohio Lottery and Yakult Australia are among the first high-profile victims. 

The DragonForce RaaS operation

DragonForce announced its ransomware-as-a-service (RaaS) operation in early 2024, and actively recruited affiliates through underground forums and other communication channels.

At this point, DragonForce is a true RaaS, so the affiliates are conducting traditional ransomware campaigns using the DragonForce infrastructure and the DragonForce brand. DragonForce took 20% of ransom payments as a service fee, and the affiliates kept the rest. By the end of 2024, the operation claimed 93 victims in several countries.

The DragonForce Ransomware Cartel

On March 19, 2025 DragonForce Ransomware announced it was operating as a cartel. Here we see a significant change in how they approach their rivals and criminal opportunities.

This shift is not like a rebrand, where the group goes dark and comes back with a different name. This is an evolution to a new model of crime that replaces the centralized hierarchy of a group with decentralized coalition of threat actors. Cartel members can launch attacks under their own brands while using DragonForce resources, and they can collaborate and share with each other as desired. As a cartel, DFRC also conducts press relations and will use publicity to pressure victims and pursue dominance in the threat landscape.

“Hackers contacted the BBC with proof they had infiltrated IT networks and stolen huge amounts of customer and employee data.” ~BBC World Service

“DragonForce told BleepingComputer that their structure is that of a marketplace, where affiliates can choose to deploy attacks under the DragonForce brand or a different one.” ~BleepingComputer

“We don't attack cancer patients or anything heart related, we'd rather send them money and help them. We're here for business and money, I didn't come here to kill people, and neither did my partners,” ~BleepingComputer

DragonForce is not the first ransomware cartel, but it seems to be the first that is so self-promoting and openly hostile toward competitors.

DragonForce vs everybody

After announcing the move to cartel, DragonForce quickly targeted its rivals with harassment campaigns and hostile takeover attempts. Within 24 hours of the cartel announcement, DragonForce defaced the leak sites of the BlackLock and Mamona RaaS groups. 

At this point, let’s turn our attention to RansomHub and all the orphaned RaaS affiliates it had taken under its wing. This group was successfully operating as a RaaS or hybrid model until April 1, 2025, when its infrastructure went offline.

RansomBay, a former RansomHub affiliate, has moved to DragonForce and even incorporated elements of the DragonForce logo in its operations.

At this point we start seeing RansomHub fight back in the forums. On April 25, RansomHub spokesperson ‘Koley’ posted a screenshot showing the DragonForce leak site was experiencing problems with ‘technical works’ and suggested the cartel had ‘traitors’ in the ranks. The back and forth between the two continued, with observers posting speculations about exit scams and a rebranding. On April 28 we see Koley's big accusation:

“You use feds to steal and shutdown others. We know.”

This is consistent with The Register's reporting on the accusations.

DragonForce Ransomware Cartel victims

Since the announcement in March, DFRC has been focused on major UK retailers. Victims in this sector include:

• Marks & Spencer (M&S): This attack disrupted online orders and payment systems, and compromised customer data. DragonForce sent extortion emails to the CEO and other executives, boasting about the attack and threatening to leak sensitive information. Snippets from the email can be read here.
• Co-op: Back-office and call center operations were impacted, but the business and its stores were said to be operating as normal through the attack. Co-op did confirm the exposure of the personal data of over 10,000 members.
• Harrods: This one is a likely-but-not-quite-verified victim. DragonForce claimed responsibility for a cyberattack that caused Harrods to restrict internet access and take other mitigation measures.  DragonForce attribution has not been confirmed.

Cartel members have also compromised at least 15 industrial targets and compromised an Managed Service Provider (MSP) application in a supply chain attack that makes it possible to then attack the MSP’s customers.

What’s next for this cartel?

If rival retaliation and internal discontent do not damage DragonForce, the cartel will probably continue to grow. This will contribute to the fluidity of the threat landscape and agility of threat actors to rebrand or simply disappear into another group or a different type of crime.  It’s possible the cartel will grow so quickly that it cannot manage the operation well enough to prevent leaks. Law enforcement has had some success in the last few years, so maybe they’ll be able to strike a blow to this one too.

Protect yourself

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Stop Ransomware website can help you prevent ransomware attacks. You should review this site for information on emergency communications, bad practices, and proper ransomware attack response. Also, make sure you’re following the standard best practices, such as regular data backups and timely patch management.

Barracuda offers complete ransomware protection and the industry’s most comprehensive cybersecurity platform. Visit our website to see how we defend email, network, applications, and data.