DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

May 5, 2025, 7:39 p.m.

Description

The DragonForce ransomware group, initially a pro-Palestine hacktivist operation, has evolved into a profit-driven extortion enterprise targeting UK retailers and various global entities. Emerging in August 2023, the group now employs a multi-extortion model, threatening data leaks and reputational damage. Their tactics include phishing, vulnerability exploitation, and credential stuffing for initial access. DragonForce has developed its own ransomware based on leaked LockBit and Conti code, offering customizable payloads for different platforms. Recently, they introduced a 'white-label' service allowing affiliates to disguise attacks under different brands. The group's expansion and self-branding as a 'Ransomware Cartel' indicate a strategic move to elevate their status in the cybercrime landscape.

External References

https://www.sentinelone.com/blog/dragonforce-ransomware-gang-from-hacktivists-to-high-street-extortionists
https://otx.alienvault.com/pulse/68163629ffa45ff2f641d2ba
Tags
ransomware
extortion
cobalt strike
CVE-2024-21412
CVE-2021-44228
CVE-2024-21887
CVE-2023-46805
systembc
2025-05-03
CVE-2024-21893
multi-extortion
dragonforce ransomware
white-label

Date

  • Created: May 3, 2025, 3:28 p.m.
  • Published: May 3, 2025, 3:28 p.m.
  • Modified: May 5, 2025, 7:39 p.m.

Attack Patterns

  • DragonForce

Additional Informations

  • Retail
  • British Indian Ocean Territory
  • India
  • Saudi Arabia
  • Malaysia
  • United Kingdom of Great Britain and Northern Ireland
  • Israel