Full Report
DragonForce is a ransomware group that first emerged on December 13, 2023, when a user identified as @dragonforce on BreachForums uploaded stolen data. The group developed and deployed its own ransomware based on the leaked LockBit 3.0 (LockBit Black) and Conti source code. As of January 2026, we confirmed that the LockBit 3.0–based DragonForce builder is no longer available. DragonForce has been expanding its operational scope through attacks on other groups as well as through cooperative relationships, which is assessed as an effort to strengthen its position within the ransomware ecosystem.
Analysis Summary
Since the provided CONTEXT is a description of the threat actor **DragonForce** but does not contain detailed TTPs, specific victim names, exact targeting geography, detailed infrastructure, or explicit mitigation advice, the resulting summary will be derived solely from the available information in the context prompt, filling in sections with "Not Specified" where data is missing based *only* on the provided text.
# Threat Actor: DragonForce
## Attribution & Identity
* **Primary Identification:** DragonForce
* **Aliases/Known Associations:**
* Associated with the BreachForums user `@dragonforce` (who first announced their activity).
* The group appears to engage in cooperation with, or attacks on, other ransomware groups, indicating an effort to strengthen its position within the ransomware ecosystem.
## Activity Summary
* **Emergence:** First publicly emerged on December 13, 2023, via a data leak post on BreachForums.
* **Recent Developments (as of January 2026):** The custom DragonForce ransomware builder, which was based on leaked LockBit 3.0 (LockBit Black) and Conti source code, was confirmed to be no longer available as of January 2026.
* **Operational Strategy:** Expanding operational scope through attacks on other threat groups and entering cooperative relationships.
## Tactics, Techniques & Procedures
* **Ransomware Development:** Developed and deployed proprietary ransomware derived from the leaked source code of **LockBit 3.0 (LockBit Black)** and **Conti**.
* **Deployment:** Deployed its own ransomware variant.
* **TTPs Mentioned:**
* Data Exfiltration (implied by uploading stolen data to BreachForums).
* Locker/Ransomware usage.
* **MITRE ATT&CK IDs:** Not specified in the context.
## Targeting
* **Sectors:** Not specified in the context.
* **Geography:** Not specified in the context.
* **Victims:** No specific organizations mentioned in the context.
## Tools & Infrastructure
* **Malware Families Used:** Custom ransomware based on LockBit 3.0/Conti (the builder was confirmed unavailable as of Jan 2026).
* **Infrastructure (C2, domains, IPs):** Not specified in the context.
## Implications
* DragonForce demonstrated rapid development capabilities by leveraging and adapting existing advanced ransomware source code (LockBit 3.0/Conti).
* The group is strategically evolving its operational model, attempting to integrate through coercion or cooperation within the broader ransomware ecosystem rather than just targeting end-users.
* The disappearance of the builder suggests a potential disruption or a shift in operational mechanics by January 2026.
## Mitigations
* Based on the context, defenses should focus on protecting against known ransomware TTPs, particularly those stemming from LockBit/Conti variants. (Specific actor mitigations were not detailed in the provided text.)