DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat that blends ideological ambiguity with ruthless opportunism.
First identified in December 2023 with the debut of its “DragonLeaks” dark web portal, DragonForce may trace its origins to the hacktivist group DragonForce Malaysia.
However, its current incarnation is a far cry from ideological roots, now operating as a sophisticated ransomware-as-a-service (RaaS) entity.
.png
)
What sets DragonForce apart in a crowded field of 74 active ransomware groups is its business model, designed for the gig economy of cybercrime.
Offering a 20% revenue share-lower than many competitors-it attracts displaced affiliates with white-label ransomware kits, allowing customization of binaries, ransom notes, and file extensions, alongside pre-built infrastructure like negotiation tools and branded “RansomBay” leak sites.
Following the collapse of RansomHub in April 2025, DragonForce adeptly positioned itself as a nimble alternative, capitalizing on the erosion of trust in legacy RaaS platforms by prioritizing anonymity and flexibility.
Record-Breaking Surge and Strategic Shifts
The timing of DragonForce’s ascent aligns with an unprecedented spike in global ransomware activity, as reported by Check Point’s State of Ransomware Q1 2025.
With 2,289 publicly named victims in just the first quarter-a staggering 126% year-over-year increase-and a monthly average of over 650 confirmed victims, the ransomware ecosystem is more volatile than ever.
DragonForce has exploited this chaos, particularly through a targeted campaign against UK retailers in April and May 2025, disrupting e-commerce platforms and loyalty programs while likely harvesting personally identifiable information (PII) for secondary monetization.
According to the Report, Check Point data highlights the consumer goods and services sector as the fifth most attacked vertical in the UK, facing 1,337 weekly cyberattacks per organization, 8% above the national average, and a 22% year-over-year rise.
This shift toward data extortion over traditional encryption reflects a broader trend in ransomware tactics, simplifying operations while accelerating profit.
Meanwhile, the fragmentation of the ecosystem-following the 2024 takedowns of LockBit and ALPHV, and RansomHub’s disappearance-has fueled competition among mid-tier actors like Akira and Medusa, yet DragonForce distinguishes itself by offering not just tools but a vague, adaptable identity that resonates with affiliates.
Adding to the complexity of this threat landscape is the integration of artificial intelligence (AI) into ransomware operations, a trend Check Point identifies as a game-changer in 2025.
Groups are leveraging large language models (LLMs) for malware development, lowering barriers to entry, while deepfake technologies enhance social engineering through audio and visual impersonation.
GenAI further enables multilingual phishing and automated call bots for one-time password (OTP) theft, professionalizing criminal campaigns.
DragonForce, with its agile platform and opportunistic ethos, is well-positioned to adopt such innovations, posing an escalating challenge to defenders.
As ransomware mutates in both scale and method, the emergence of hybrid actors like DragonForce signals a dangerous new chapter in cybercrime, where technology and fragmented loyalties converge to create threats that are harder to predict, track, or mitigate.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
