Full Report
Sophos has observed DragonForce attacking rival ransomware operators including RansomHub as it seeks to expand its reach in the cybercrime marketplace
Analysis Summary
# Threat Actor: DragonForce
## Attribution & Identity
- **Identification:** Threat actor operating within the cybercrime marketplace, specifically focused on ransomware.
- **Aliases and Associations:** Rebranded as a 'cartel' in March 2025. Implicated in an infrastructure outage targeting **RansomHub**. Reportedly leveraged its infrastructure for **Scattered Spider** activities.
## Activity Summary
- DragonForce is engaged in a "turf war" with rival ransomware operators to establish market dominance.
- Responsible for the infrastructure outage affecting RansomHub in late March 2025, potentially stemming from a hostile takeover attempt.
- Began actively targeting rivals after rebranding as a 'cartel' in March 2025 to expand reach.
- Operates a Ransomware-as-a-Service (RaaS) model dubbed "RansomBay," launched in early 2025, allowing affiliates to rebrand the ransomware.
## Tactics, Techniques & Procedures
- **Ransomware-as-a-Service (RaaS) Model:** Offers a white-label service (RansomBay) where affiliates use DragonForce infrastructure and tools under a different brand name.
- **Affiliate Compensation Structure:** Affiliates pay a 20% cut of the ransom haul to DragonForce.
- **Infrastructure Support:** DragonForce handles underlying infrastructure, technical support, and leak-site hosting for affiliates.
- **Tactical Interference:** Directly attacking or interfering with rival RaaS infrastructures (e.g., RansomHub outage).
## Targeting
- **Sectors:** Retail (Mentioned victims include Marks and Spencer (M&S) and the Co-operative Group, targeted via affiliates leveraging DragonForce infrastructure).
- **Geography:** Not explicitly detailed, but the mentioned victims suggest operations targeting organizations in the UK.
- **Victims:** Marks and Spencer (M&S), The Co-operative Group (via Scattered Spider using DragonForce infrastructure).
## Tools & Infrastructure
- **Malware Families Used:** Unknown specific ransomware name, but utilizes custom tools provided through the RansomBay platform.
- **Infrastructure:** Provides and maintains leak-site hosting and technical support infrastructure for affiliates.
- **C2/URLs:** None explicitly mentioned or defanged.
## Implications
DragonForce is transitioning into a more organized, cartel-like structure within the ransomware ecosystem, attempting outright dominance by aggressively sabotaging competitors like RansomHub. This structure lowers the barrier to entry for affiliates while centralizing control over crucial components like infrastructure and leak sites.
## Mitigations
- Monitor for indicators related to infrastructure takeovers or targeted disruptions against RaaS platforms.
- Monitor for signs of affiliates using white-label ransomware services attempting to mask their affiliation.
- Organizations (especially retail sector) should ensure robust security measures as affiliates leveraging this strong infrastructure may be highly effective.