Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant service disruptions following a series of coordinated ransomware attacks attributed to the DragonForce group.
The attacks have affected critical business functions including payment systems, inventory management, and payroll processing.
This campaign marks a significant escalation in DragonForce’s operations, which previously targeted organizations including Honolulu OTS, the Government of Palau, Coca-Cola (Singapore), Ohio State Lottery, and Yakult Australia.
.png
)
Technical analysis reveals that DragonForce’s initial access tactics primarily involve phishing emails and exploitation of known vulnerabilities in corporate networks.
The group is known to leverage leaked or stolen credentials to access internet-facing devices and deploys Cobalt Strike for campaign management.
Security researchers have linked several specific vulnerabilities to previous DragonForce intrusions, including CVE-2021-44228 (Log4Shell), CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure authentication bypass and command injection), CVE-2024-21412 (Microsoft Windows SmartScreen bypass), and CVE-2024-21893 (Ivanti Connect path traversal).
Once inside victim networks, the attackers utilize sophisticated tools including mimikatz for credential harvesting, Advanced IP Scanner for network reconnaissance, and PingCastle for Active Directory assessment.
The group also targets RDP services with credential stuffing attacks and exploits VPN weaknesses.
For persistence, DragonForce operators deploy the SystemBC backdoor, a multi-platform proxying malware that creates SOCKS5 tunnels through compromised networks.
Evolution of DragonForce’s Ransomware Payload
DragonForce’s technical capabilities have evolved significantly since its emergence in August 2023.
Initially, the group’s ransomware payloads were based entirely on the leaked LockBit 3.0 builder, but they have since developed more bespoke variants with roots in the Conti v3 codebase.
While earlier variants used AES for file encryption and RSA for key security, newer Conti-derived samples implement the ChaCha8 algorithm, which provides improved encryption speed.
The ransomware now features a sophisticated affiliate panel that enables customization of payloads for specific platforms including Windows, Linux, EXSi, and NAS devices.
The malware supports multiple command-line options for controlling encryption behavior, file discovery modes, and execution timing.
Technical specifications indicate that affiliates can manage multiple builds per platform for each victim, with options to customize encryption behaviors, appended file extensions, and process termination configurations.
Operations Growth and Defence Advice
In early 2025, DragonForce expanded its business model by introducing a ‘white-label’ branding service that allows affiliates to disguise the ransomware as a different strain for an additional fee.
This service, called RansomBay, allows affiliates to keep 80% of ransom payments while DragonForce takes 20%.
This evolution positions DragonForce as a “Ransomware Cartel” with infrastructure and malware support similar to operations like RansomHub, Rabbit Hole, and Dispossessor.
Cybersecurity experts recommend organizations implement robust defenses including endpoint protection platforms with behavioral ransomware detection capabilities.
SentinelOne’s Singularity Platform has introduced enhanced detection via a Live Security Update in March 2025 specifically targeting DragonForce variants.
Security teams should also prioritize patching the specific vulnerabilities exploited by the group, implement multi-factor authentication, and develop comprehensive incident response procedures to mitigate potential damage from DragonForce attacks.
As DragonForce continues to blur the lines between hacktivism and financial motivation, organizations must maintain strong cybersecurity practices, efficient configuration management, and complete visibility into their digital assets to defend against these increasingly sophisticated ransomware attacks.
Indicators of Compromise(IOC):
| SHA1 Ransom Notes | SHA1 Payloads |
| 343220b0e37841dc002407860057eb10dbeea94d | 011894f40bab6963133d46a1976fa587a4b66378 |
| ae2967d021890a6a2a8c403a569b9e6d56e03abd | 0b22b6e5269ec241b82450a7e65009685a3010fb |
| c98e394a3e33c616d251d426fc986229ede57b0f | 196c08fbab4119d75afb209a05999ce269ffe3cf |
| f710573c1d18355ecdf3131aa69a6dfe8e674758 | 1f5ae3b51b2dbf9419f4b7d51725a49023abc81c |
| 229e073dbcbb72bdfee2c244e5d066ad949d2582 | |
| 29baab2551064fa30fb18955ccc8f332bd68ddd4 | |
| 577b110a8bfa6526b21bb728e14bd6494dc67f71 | |
| 7db52047c72529d27a39f2e1a9ffb8f1f0ddc774 | |
| 81185dd73f2e042a947a1bf77f429de08778b6e9 | |
| a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9 | |
| b3e0785dbe60369634ac6a6b5d241849c1f929de | |
| b571e60a6d2d9ab78da1c14327c0d26f34117daa | |
| bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c | |
| e164bbaf848fa5d46fa42f62402a1c55330ef562 | |
| e1c0482b43fe57c93535119d085596cd2d90560a | |
| eada05f4bfd4876c57c24cd4b41f7a40ea97274c | |
| fc75a3800d8c2fa49b27b632dc9d7fb611b65201 |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
