For months, the most recognizable retail names in the UK have been rocked by what initially seemed to be isolated outages but – in retrospect – was actually a coordinated wave. Disruptions at Harrods, Marks & Spencer, and Co-op affecting payments, stock inventories, and even payroll processing mean that DragonForce is no longer just an outspoken hacktivist gang. It is a ransomware group determined to make money and has learned to do both at the same time.
Identity and Motivation
DragonForce made its initial appearance in August 2023. The group’s history features Malaysian connections and a pro-Palestinian hacktivist stance, but it quickly transitioned to classic multi-extortion: encrypt the data, steal it, and apply the public-relations screws for leverage. They refer to themselves as a ransomware “cartel”, and the label is significant. Surrounding a group of core operators is an affiliate ecosystem and a leak infrastructure, which together enable scale and obscure attribution. The result is a flexible, franchise-like model, where the core develops tooling and comes up with a story, and affiliates execute using local knowledge and varying degrees of tradecraft.
The victim list assigned to DragonForce and its orbit displays a preference for high-impact targets across sectors and geographies: Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia all have been mentioned in open reporting. And while we don’t know if every claim is watertight, the pattern is fairly consistent: select organisations that can’t tolerate downtime and who generate headlines when they fail.
Targeting and Recent Developments
DragonForce’s sector appetite is broad government, retail, legal, healthcare, tech, and utilities, but recent activity indicates a strong leaning toward UK retail. Some of the reporting suggests that the affiliates are the hands on the keyboard in incidents out of Britain. Open-source work discusses some tactical overlap with Scattered Spider/The Com, but there is a fair continuum of attributions and the space is rightly cautious as it should be in today’s a la carte ransomware economy.
he business model evolved again in early 2025 as they began offering white-labelling brands and RansomBay leak portals. Practically that means affiliates can re-skin DragonForce payloads and use custom brands while passing the flow of revenue upstream. It means defenders are now looking at many logos moving around the chessboard and practitioners in incident response sweated more over the question of “which group” than containment of the blast radius. The brand is the least important part of the trade craft; the monetisation engine is churning along in the dirty background.
TTPs: How They Get In and Stay In
Initial access is where the hits happen. DragonForce and its associates leverage phishing and social engineering, but they also continue to test the limits: VPN and perimeter device vulnerabilities, RDP exposure, credential reuse, etc. When they get initial access, they use the same COTS, and Red Team tools like Cobalt Strike, mimikatz, Advanced IP Scanner, PingCastle, and mundane remote-monitoring tools to blend into the normal. None of this is exotic; the risk is how quickly all these elements can be combined to create an effective intrusion.
There are recurring vulnerable elements in historic intrusions:
• CVE-2021-44228 (Log4Shell, Apache Log4j2)
• CVE-2023-46805, CVE-2024-21887, CVE-2024-21893 (Ivanti Connect Secure chains)
• CVE-2024-21412 (Windows SmartScreen bypass)
In the area of persistence and command and control, SystemBC emerges as the most cited tool, offering SOCKS5 tunnelling, man-in-the-middle capabilities, and a reliable staging channel.. Data exfiltration almost never proliferated and generally crosses back over MEGA, WebDA, or SFTP, which is another common protocol that allows adversaries to act in plain sight as another typical LOTL (Living-off-the-Land) option.
With respect to payloads and encryptors, the earliest DragonForce samples seem to have been cleanly copied from the LockBit 3.0/Black builder family, while the more recent samples have had their code base related to a Conti v3 derived code base. Crypto stacks are generally constructed from AES + RSA; a few reporting mentioned ChaCha8 variants for speed. Cross-platform builds target Windows, Linux, ESXi, and NAS. Comprehensive CLI options allow operators to fine-tune discovery, VM management, and threading with practical controls that reduce human errors and shorten the time needed for encryption.
Timeline at a Glance
- 2023: Prominent hacktivist framing; shift toward ransomware begins.
- 2024: Victim set widens across APAC and beyond; both public and private sectors feel the impact.
- 2025: White-label programme and RansomBay go live; a UK retail wave in April–May; arrests tied to the UK incidents raise the likelihood of affiliate-led operations and cross-group links
Indicators of Compromise (Selected)
Ransom note SHA-1:
- 343220b0e37841dc002407860057eb10dbeea94d
- ae2967d021890a6a2a8c403a569b9e6d56e03abd
- c98e394a3e33c616d251d426fc986229ede57b0f
- f710573c1d18355ecdf3131aa69a6dfe8e674758.
Payload SHA-1 (sample set):
- 011894f40bab6963133d46a1976fa587a4b66378
- 0b22b6e5269ec241b82450a7e65009685a3010fb
- 196c08fbab4119d75afb209a05999ce269ffe3cf
- a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
- eada05f4bfd4876c57c24cd4b41f7a40ea97274c.
Onion leak/portal:
- rrrbay3nf4c2wxmh[…]
- rrrbayguhgtgxr[…]
- 3pktcrcbmssvrnwe[…] associated with RansomBay and victim portals.
Tip: Treat IoCs as starting points, not oracles. Pivot on file metadata, command-line flags, SystemBC tunnelling, and web-protocol exfil to surface related activity in your own telemetry.
Defence: Where to Begin
Reduce the points of entry. Patch all perimeter devices immediately (including your Ivanti Connect Secure chain) and assume you have a 1-day window of exploitation, even if you haven’t yet. Require MFA on VPN/RDP, remove weak/legacy access protocols, and bring your email security posture to a higher level with DMARC/DKIM/SPF. If you can, read risky attachments in a sandbox. Remind the community about the risk of phishing; it’s important to recognize that not much else matters in the world of technical controls if your user is simply typing a password into a fake page.
Detection and containment, as soon as possible. Proactively hunt for Cobalt Strike beacons, SystemBC tunnels, suspicious PowerShell/WMI being executed, and mimikatz artifacts. Set alerts on outbound traffic in bulk via MEGA/SFTP/WebDAV, enumeration of ESXi host drivers, and atypical file open/write behaviour at scale, which likely leads to ransomware-style encryption. Segment your networks as much as you can; enact least privilege; monitor access to backup control planes; keep immutable and/or offline backup copies so you can always “simulate” entirely.
Rehearse the response. Develop the ransomware in progress playbook, and practice it; contain sections, terminate exfil channels, and assail external incident response swiftly. Validate your RTO / RPO every 3 months; conduct tabletop activities that leverage executive comms and brand-risk scenarios. Retailers live and die by trust and uptime, so be certain your organizational communications can match the speed of extreme, extortion-induced reaction campaigns that are meant to shock customers; scare suppliers; and create confusion for the press, at worst.
Why Retail and Why the UK?
Retail is intrinsically brittle when stressed: transferring a high volume of transactions, the tight coupling of systems and time constrained actions, means even the smallest fault has the opportunity to propagate to a large issue downstream. Point-of-sale, e-commerce, warehouse management, payroll, etc – all interdependent; you knock one out and the pain cascades elsewhere. Retailing, particularly in the UK environment where brands are treated as recognised entities and a rolling media cycle, confers an additional operational disruption multiplier of extortion value. To the DragonForce and its affiliates understand the maths of attention – focus on targets where disruption is visible and therefore monetisable, and with the added white-label branding to obscure their presence permits the single operator to disrupt multiple companies under different banners and potentially creates confusion for the public story and private means of defence.
Why Attribution Is Hard
Attribution is always challenging in a cybercrime context, and it is certainly not easier in the current ecosystem when the attack landscape is more diverse than it has ever been. If you add a cartel-style RaaS, updates, affiliates, rented tooling, it just becomes an annoying fingerprint. One incident may have some code relating back to Conti v3, then the next may be deploying some LockBit related elements, the next simply uses SystemBC. New exploit chains are surfacing almost by the day and this does not help the attribution process. Defenders should be taking a bigger picture view than just the individual signature and IoCs they tend to work off, quickly replacing these efforts with workflow, timing, C2 patterns, as well as the flow of money. The behavioural layers are not only harder to disguise, but they will often last longer than even the name brands’ does, or the template for the ransom notes.
The Bottom Line
Currently, DragonForce has the appearance of a legitimate commercial business while still potentially operating from a hacktivist playbook when it comes to coercion strategies. The cartel style RaaS, black-market style as a white-label brand, their unfettered willingness to exploit high-street brand name targets, makes them a threat beyond any one particular malware family or CVE. Expect opportunistic exploitations of edge flaws, ongoing affiliate experimentation, and reputational blackmail aimed squarely at customer-facing brands. Looking aesthetically like moral hackers or activists does not make them moral or aligned to any public good. There is no “one and done silver bullet” for a pragmatic approach, just a few habits: harden your email, identity, and cloud-edge security; practice to quickly detect and contain; and test restores until you become bored. The next extortion campaign will knock at your door, and it will. When that happens, boredom is exactly what you want.
You can download and review the sheet for all the details!
