The DragonForce ransomware group has emerged as a significant threat, operating since December 2023 under a sophisticated Ransomware-as-a-Service (RaaS) model. Branding itself as a “cartel,” the group has aggressively expanded its influence, attracting a wide network of affiliates and distinguishing its operations within the cybercrime landscape. This evolving entity has targeted 363 companies since its inception, demonstrating a persistent and growing threat to global organizations.
DragonForce actively recruits and promotes its services on prominent dark web forums, including BreachForums, RAMP, and Exploit. The group differentiates itself by offering unique tools such as “RansomBay” for customized payload generation and specialized harassment calling services designed to pressure victims into payment. Their operational strategy aims to maximize psychological and financial impact, aiming for higher success rates in ransom demands. Reports from S2W analysts indicate a steady increase in attacks, culminating in December 2025 with 35 victims published in a single month, highlighting the group’s scaling ambitions.
Beyond standard attacks, DragonForce has engaged in adversarial actions against rival ransomware groups, launching infrastructure-level attacks, while also seeking alliances to strengthen its ecosystem. This dual approach of conflict and cooperation underscores their ambition to dominate the RaaS market.
The group provides comprehensive support to its affiliates, including data analysis and team coordination tools, presenting a service suite comparable to legitimate software enterprises. This “cartel-like” structure allows for a more organized and efficient cybercriminal operation, making it harder for law enforcement to dismantle.
Technical Analysis of Windows Binaries
Recent technical assessments of DragonForce’s Windows binaries reveal consistent core encryption routines and process termination methods, but with significant structural updates. The ransomware continues to employ the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security processes, enabling successful encryption. However, modifications have been made to the metadata structure appended to encrypted files.
Specifically, the “Encryption Ratio” field has been expanded from one byte to four bytes, increasing the total metadata size to 537 bytes. This alteration allows for more granular control over the encryption process.
Additionally, the latest builder version of the ransomware incorporates a beta feature named “encryption_rules.” This functionality permits operators to define specific encryption modes for particular file extensions. In the absence of such defined rules, the malware defaults to applying full, partial, or header-based encryption depending on the file’s size.
Upon execution, the DragonForce ransomware decrypts its embedded configuration using the ChaCha8 algorithm before initiating its encryption routines. This new configuration option provides attackers with precise control over how different data types are affected, optimizing the speed and severity of the encryption process based on the specific victim’s environment. This level of customization indicates a sophisticated and adaptive threat that organizations must prepare to defend against.
The ongoing evolution of DragonForce’s tools and tactics suggests a continued threat to businesses. As the group refines its operations and expands its affiliate network, cybersecurity professionals will need to remain vigilant in detecting and mitigating their activities. Future observations will likely focus on the further development of their recruitment strategies and the potential impact of their more advanced targeting mechanisms on various industry sectors.