BLOG
May 7, 2025
DragonForce Threat Profile: The Rising Ransomware Gang Targeting UK Retailers
By Alison Frost, Threat Specialist at Adarma
DragonForce Ransomware, the gang recently linked to cyber-attacks against Marks and Spencer, Co-Op, and Harrods, is an emerging Ransomware-as-a-Service (RaaS) operation.
The group rents ransomware tools and infrastructure to a broad affiliate base, thereby lowering the cybercrime barrier to entry and enabling even relatively unskilled threat actors to carry out high-impact ransomware campaigns.
Recent media reporting has caused some confusion about the group’s evolution, with some outlets incorrectly labelling them as former hacktivists. It is important to clarify that we understand DragonForce Ransomware to be entirely separate from the hacktivist group DragonForce Malaysia, who have publicly disavowed any association with the ransomware operation.
Who Are DragonForce Ransomware?
DragonForce Ransomware has rapidly escalated the scale and impact of its operations. The group has adopted a flexible model that allowed affiliates to employ either encryption-only or exfiltration-plus-encryption payloads. This supports double extortion attacks, in which stolen data is publicly threatened to coerce victims into paying ransoms.
Recent intelligence indicates DragonForce Ransomware has exploited vulnerabilities in the infrastructure of rival ransomware groups, including BlackLock, formerly known as Eldorado, and RansomHub. Whether these incidents represent hostile takeovers or strategic partnerships remains unclear, but the group’s technical aggression highlights its ambition to expand its influence in the RaaS ecosystem. Adarma will keep monitoring and evaluating this pairing to see if the groups unite.
In the attacks on Marks and Spencer and Co-Op, DragonForce Ransomware affiliates reportedly collaborated with Scattered Spider, a decentralised cybercriminal group known for social engineering and working with multiple ransomware collectives. Harrods was also named in a May 2025 claim by DragonForce Ransomware affiliates, although the retailer has not publicly confirmed this attribution at the time of writing.
DragonForce’s Key Tactics, Techniques and Procedures (TTPs)
DragonForce Ransomware employs a combination of well-established and adaptive tactics to gain access, maintain persistence, and execute double extortion ransomware attacks. Their typical TTPs include the following measures:
Initial access tactics:
- Phishing emails to steal credentials and deploy malware
- Exploitation of known vulnerabilities in internet-facing devices
- Credential stuffing attacks using stolen or leaked passwords
Post-compromise activities:
- Privilege escalation and persistence using tools such as Advanced IP Scanner, Mimikatz, and PingCastle
- Malware propagation using T1105 techniques to replicate across directories and disable/remove anti-virus and system logs to avoid detection
- Disabling security controls, including antivirus software and system logs, to evade detection
- Command and Control communications to exfiltrate system data and coordinate attacks and assist attackers with tracking and managing infected victim environments
Ransomware deployment:
- Encryption of data using robust algorithms such as RSA and AES-256 (T1486)
- Data exfiltration to enable double extortion through their data leak site
- Sophisticated data harvesting to prioritise high-value information, including credentials, system configurations, and sensitive corporate data
- Ransom notes typically named README.txt, directing victims to .onion sites for negotiation and payment
How to Mitigate Your Organisation’s Risk
DragonForce Ransomware has executed significant attacks across multiple sectors and regions, including incidents involving Coca-Cola Singapore, Yakult Australia, the Ohio State Lottery, and the Government of Palau.
Given the group’s recent activity in the UK retail sector and its evolving alliances, organisations should remain vigilant and adopt the following mitigations:
- Train IT helpdesk and support staff to recognise social engineering and enforce strict verification protocols for user support requests
- Enforce Multi-Factor Authentication wherever feasible
- Implement a least privilege policy in Active Directory to limit user permissions to essential tasks
- Apply patches promptly for operating systems, firmware, and especially internet-facing services
- Monitor for unauthorised remote access tools and enforce policies to detect or block software such as TeamViewer or AnyDesk
- Deploy Endpoint Detection and Response and network monitoring tools for real-time visibility into suspicious activity
- Maintain and regularly test offline backups of critical systems and data
- Audit for credential stuffing attempts and enforce strict lockout policies for failed login attempts