DragonForce Ransomware Gang Expands Operations, Targets 120+ Organizations Worldwide
The DragonForce ransomware gang has compromised over 120 organizations globally in the past year, evolving from a ransomware-as-a-service (RaaS) model into a full-fledged ransomware cartel. According to a report by Bitdefender, the group gains initial access through phishing, credential stuffing, and the exploitation of critical vulnerabilities, including CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893.
Once inside networks, DragonForce employs living-off-the-land (LotL) techniques to maintain persistence and move laterally, evading detection. In one high-profile intrusion last year, the group demanded a $7 million ransom, underscoring its financial motivations.
Beyond its own operations, DragonForce has aggressively expanded its influence by partnering with other RaaS groups and attempting to take over rival operations, including LockBit and RansomHub. The gang has vandalized competitors’ data leak sites and targeted their attack infrastructure in a bid to dominate the ransomware landscape. These tactics signal a shift toward consolidation and heightened competition among cybercriminal syndicates.
Source: https://www.scworld.com/brief/dragonforce-victimization-on-the-rise-report-finds
Drakontas LLC cybersecurity rating report: https://www.rankiteo.com/company/drakontas-llc
"id": "DRA1766628480",
"linkid": "drakontas-llc",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Worldwide'}],
'attack_vector': ['Phishing',
'Credential Stuffing',
'Exploitation of Vulnerabilities'],
'data_breach': {'data_encryption': 'Yes'},
'description': 'More than 120 organizations across various industries '
'worldwide have been compromised by the DragonForce ransomware '
'gang, which has shifted from a ransomware-as-a-service to a '
'ransomware cartel operation over the past 12 months. '
'DragonForce achieved initial access via phishing, credential '
'stuffing, and exploitation of multiple security flaws, '
'including CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893. '
'The gang used living-off-the-land techniques for persistence '
'and lateral movement. DragonForce has also entered '
'partnerships with other RaaS operations and attempted to take '
'over gangs like LockBit and RansomHub to assert dominance in '
'the ransomware threat landscape.',
'motivation': 'Financial Gain, Dominance in Ransomware Threat Landscape',
'ransomware': {'data_encryption': 'Yes',
'ransom_demanded': '$7 million (in a past intrusion)',
'ransomware_strain': 'DragonForce'},
'recommendations': 'Organizations should bolster their defenses and '
'mitigations against the ransomware operation.',
'references': [{'source': 'GBHackers News'}, {'source': 'Bitdefender Report'}],
'threat_actor': 'DragonForce Ransomware Gang',
'title': 'DragonForce Ransomware Gang Compromises Over 120 Organizations '
'Worldwide',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2024-21412',
'CVE-2024-21887',
'CVE-2024-21893']}