DragonForce Ransomware Cartel Hits UK Retailers with Custom Payloads and Global Extortion Campaign

A disturbing evolution in the ransomware ecosystem has been exposed by cybersecurity firm SentinelOne, which has published an in-depth analysis of the DragonForce ransomware gang—a threat actor responsible for recent coordinated attacks on major UK retailers, including Harrods, Marks & Spencer, and the Co-Op.

DragonForce’s origins trace back to Malaysia in August 2023, where it initially operated as a Pro-Palestine hacktivist group. But as SentinelOne notes: “Over time their goals have shifted and expanded… the modern-day operation is focused on financial gain and extortion.”

The group now operates a multi-extortion model, threatening victims with data leaks via public “RansomBay” leak sites and reputational damage.

DragonForce’s scope spans government, commercial, and politically symbolic targets. Past victims include:

• Honolulu OTS
• Government of Palau
• Coca-Cola Singapore
• Ohio State Lottery
• Yakult Australia

They are also known to heavily target law firms and medical practices, and have recently expanded their campaigns to Israel, India, Saudi Arabia, and most notably, retailers in the UK.

SentinelOne suggests that some components of the UK attacks may be linked to ‘The Com’ threat actor collective, although it emphasizes that this attribution remains inconclusive.

DragonForce commonly uses a blend of techniques to gain entry into systems:

• Phishing emails
• Credential stuffing against RDP services
• Exploitation of known vulnerabilities, including:
  • CVE-2021-44228 (Log4Shell)
  • CVE-2023-46805, CVE-2024-21887, CVE-2024-21893 (Ivanti Connect Secure)
  • CVE-2024-21412 (Windows SmartScreen bypass)

Once inside, attackers utilize tools such as Cobalt Strike, mimikatz, SystemBC, and PingCastle to escalate privileges and ensure persistence.

DragonForce’s ransomware began as a LockBit 3.0/Black clone but has evolved. Today, the malware is a bespoke creation based on the Conti v3 codebase, using AES and increasingly ChaCha8 encryption algorithms.

Affiliates can customize payloads via a web-based panel, modifying:

• File extensions and names
• Execution delays
• Encryption scope and modes
• Ignored files/VMs
• Campaign behavior

“Currently, DragonForce affiliates can build multiple variants of the DragonForce ransomware, tailored to specific platforms including Windows, Linux, EXSi, and NAS-specific encryptors,” SentinelOne explains.

Perhaps the most alarming development is DragonForce’s transformation into a full-fledged Ransomware-as-a-Service cartel. In 2025, the gang launched RansomBay, a leak site where affiliates can publish stolen data. DragonForce claims to take a 20% share of successful ransomware payouts, allowing the affiliate to keep 80%.

This white-labeling service allows affiliates to launch attacks under unique names, obfuscating DragonForce’s direct involvement. This mirrors similar strategies from RansomHub and Dispossessor, marking DragonForce’s intent to become a leading player in the ransomware underground economy.

Related Posts:

• DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code
• DragonForce Ransomware Group Targets Saudi Arabia with Large-Scale Data Breach
• NVIDIA Recommended Retailers: Do not sell GeForce graphics to miners
• SentinelOne Unveils: The Hidden Dangers of npm in Business Security
• 443 Websites Infected: EuroPol Urges Caution After Global Skimmer Ring Exposed