// Threat Intelligence Profile

DragonForce Ransomware

Emerging ransomware operation with Malaysian hacktivist origins that transitioned to financially-motivated attacks. Active since 2023. Analysis based on 14 negotiation transcripts.

Operational Overview

DragonForce has a distinctive origin story compared to most ransomware groups. The name was originally associated with a Malaysian hacktivist collective that conducted website defacements and DDoS attacks, primarily motivated by political and nationalist grievances rather than financial gain. The transition to financially-motivated ransomware operations represents a significant evolution — a pattern increasingly seen as hacktivist groups recognise the financial returns available from ransomware while maintaining ideological cover.

The financially-motivated DragonForce ransomware operation emerged in late 2023 and has been building its victim base and capabilities since. Our dataset of 14 negotiation transcripts, while smaller than our archives for established groups, provides meaningful insight into an operation still developing its playbook. The group operates a double extortion model with a Tor-based leak site and negotiation portal, following the template established by more mature operations.

DragonForce is notable for its growing sophistication and the speed at which it has developed its infrastructure. The group launched a ransomware-as-a-service portal in 2024, recruiting affiliates with a competitive commission structure that allows affiliates to retain up to 80% of ransom payments. This transition to a RaaS model suggests the core team is focused on scaling operations, which typically results in increased attack volume and geographic spread.

Initial Access & Entry Vectors

DragonForce's initial access methods reflect a relatively standard modern ransomware playbook, with some variation across the 14 transcripts in our archive:

  • Exploiting public-facing vulnerabilities: The group has exploited vulnerabilities in internet-facing systems including VPN appliances and remote access solutions. Several transcripts suggest exploitation of known CVEs in widely deployed perimeter devices.
  • Phishing and social engineering: Spear-phishing campaigns targeting employees, particularly those with elevated access, have been documented in multiple incidents.
  • Credential abuse: Purchased or stolen credentials for VPNs and remote desktop services have featured in several incidents, consistent with broader ransomware ecosystem trends.
  • Initial Access Brokers: As DragonForce has expanded its RaaS affiliate programme, broker-sourced access has become an increasingly likely entry vector for affiliate-conducted attacks.

Post-compromise behaviour observed in DragonForce incidents includes network reconnaissance, lateral movement using standard tools, Active Directory targeting, and data staging prior to encryption deployment.

Technical Characteristics

DragonForce has deployed multiple encryptor variants, and technical analysis of their ransomware reveals both custom development and reuse of leaked source code from other groups:

  • Early DragonForce samples were identified as modified versions of the leaked LockBit 3.0 (LockBit Black) encryptor, with modifications to ransom note templates and hardcoded infrastructure addresses.
  • More recent samples show custom development, suggesting the group is investing in building proprietary tooling rather than relying indefinitely on modified code from other groups.
  • The group operates a Tor-based data leak site where victim data is published following failed negotiations or non-payment.
  • Encrypted files receive a custom extension, and a ransom note is dropped in affected directories.

As DragonForce continues to develop its capabilities, organisations should expect increasing technical sophistication over time.

Negotiation Patterns & Demand Analysis

Our 14 transcripts provide a developing picture of DragonForce's negotiation approach. As a newer operation, the group's patterns are less fixed than those of more established actors, and there is more variation across negotiations than we see in groups with hundreds of engagements behind them.

Initial demands in our dataset have ranged from $100,000 to several million dollars, generally calibrated to the apparent size of the victim organisation. The group demonstrates awareness of victim financial capacity and adjusts demands accordingly.

Observed characteristics across negotiations:

  • Communication is generally structured and conducted in English through a Tor-based portal
  • The group demonstrates a willingness to negotiate, with reductions documented in our transcripts
  • Timeline pressure is applied through countdown timers and publication threats on their leak site
  • The group has provided proof-of-life samples of stolen data to demonstrate exfiltration capability
  • Response times are less consistent than more mature operations, reflecting the group's still-developing operational infrastructure

The shift to a RaaS model in 2024 is expected to introduce more variation in negotiation behaviour as affiliate quality varies.

Target Selection

DragonForce's victim profile to date includes organisations across multiple sectors, with a concentration in retail, manufacturing, and public sector targets. The group has claimed victims across multiple continents, though their activity is more dispersed than regionally-focused operations. Notable claimed victims have included organisations in the UK, Australia, and the United States.

The group has demonstrated willingness to target critical services, including food and grocery retail (Marks & Spencer and Co-op were attributed to DragonForce affiliates in the UK in early 2025), suggesting fewer self-imposed restrictions on target selection than some peer groups.

View Negotiation Transcripts

14 DragonForce ransomware negotiation transcripts are available in our public archive. As an active and developing group, this dataset will continue to grow.

Quick Reference

StatusACTIVE
First ObservedLate 2023
Transcripts14
Demand Range$100K – several million
ModelDouble Extortion (RaaS from 2024)
OriginsMalaysian hacktivist collective
Entry VectorsVPN exploits, phishing, IABs
Affiliate CommissionUp to 80%

Key Negotiation Insights

ToneStructured, developing
NegotiabilityModerate
Response TimeVariable
Timeline PressureModerate (leak site threats)
MaturityGrowing — patterns still evolving

Related Resources

Under Attack by DragonForce?

If DragonForce has targeted your organisation, contact Binary Response immediately. Our team is tracking this group's evolving tactics and can advise on containment, negotiation, and recovery.

Get Emergency Help

Need Help Responding to a DragonForce Attack?

Our incident response team is actively monitoring DragonForce's evolving tactics. We can help with containment, forensic investigation, negotiation, and recovery.

Contact Our Team
🚨 Active Incident? Contact Us Now