Full Report
The DragonForce Ransomware Cartel has quickly gained notoriety and staked its claim on the threat landscape. Rivals are going dark and accusations of exit scams and government cooperation are popping up on the forums. What's going on?
Analysis Summary
# Threat Actor: DragonForce Ransomware Cartel (DFRC)
## Attribution & Identity
The threat actor is known as the **DragonForce Ransomware Cartel (DFRC)**, which pivoted to a Ransomware-as-a-Service (RaaS) model and announced operating as a cartel in March 2025. Attribution is obfuscated, and DFRC is building an image of danger and power using the "DragonForce" name.
**Associated Groups/Potential Confusion:**
* **DragonForce Malaysia (DFM):** A hacktivist collective with historical ties to Malaysia. While circumstantial evidence (shared region/name, disruptive actions) suggests a possible link to DFRC, DFM has officially denied any connection, stating their motives are against oppression, whereas DFRC is profit-motivated extortion. DFM focuses on hacktivism, not ransomware.
## Activity Summary
DFRC began listing victims and leaking stolen data on a dedicated leak site in 2024 before transitioning to a RaaS model. In March 2025, they began inviting other groups to join the cartel structure. Recent activities include:
* Compromising a Managed Service Provider (MSP) application in a supply chain attack to target the provider's customers.
* Alleged responsibility for a data theft impacting over 10,000 members of an unnamed Co-op organization.
* Alleged involvement in an attack against Harrods (unconfirmed attribution).
* Cartel members compromised at least 15 industrial targets.
## Tactics, Techniques & Procedures
The distinguishing TTPs appear to align with typical financially motivated ransomware operations, contrasting sharply with the hacktivist TTPs of DFM.
* Ransomware-as-a-Service (RaaS) operations.
* Data extortion facilitated via a dedicated leak site.
* Supply chain compromise (targeting RMM software/MSP applications).
* Specific TTPs *not* observed in the alleged DFM connection include: privilege escalation, credential access, and data exfiltration (these are standard for DFRC's financially motivated model).
## Targeting
* Sectors: Industrial targets (at least 15 victims), Managed Service Providers (MSPs).
* Geography: Unspecified, but there is a potential connection/speculation related to Malaysia based on association with DFM.
* Victims: Unnamed Co-op organization (10,000+ members' data exposed), alleged target Harrods, various unnamed industrial victims.
## Tools & Infrastructure
* Malware families used: DragonForce Ransomware.
* Infrastructure: Dedicated leak site for victim data publication.
## Implications
DFRC presents a growing threat due to its adoption of the cartel/RaaS model, which contributes to the fluidity of the threat landscape by allowing rapid growth and easy rebranding by actors. Their use of supply chain attacks via MSP compromise significantly broadens their potential victim pool. If unchecked, the cartel structure may lead to increased frequency and sophistication of attacks.
## Mitigations
* Implement emergency communications protocols.
* Adhere strictly to standard best practices: regular, segregated data backups (following CISA guidance).
* Ensure timely patch management across all systems, especially RMM software utilized by MSPs.
* Monitor for threat actor activity related to rebranding or merging operations.