Full Report
The CCB has published a detailed threat actor profile on DragonForce, a rapidly expanding Ransomware-as-a-Service (RaaS) operator that has compromised over 400 organisations worldwide including two Belgian entities in the construction and business services sectors. This report provides an in-depth assessment of the group's origin, tactics, targeting patterns, and recommended defences.
Analysis Summary
# Threat Actor: DragonForce
## Attribution & Identity
* **Actor Type:** Ransomware-as-a-Service (RaaS) operator.
* **Origin:** Likely Russian or Commonwealth of Independent States (CIS) based; operational mandates explicitly prohibit targeting CIS/Russian entities.
* **Associations:** Operates as a "cartel" structure; known to have absorbed or displaced rival groups such as **BlackLock** and **RansomHub**.
* **Motivation:** Purely financially motivated; no evidence of nation-state sponsorship or ideological affiliation.
## Activity Summary
DragonForce is a rapidly expanding RaaS group that has compromised over 400 organizations across 30+ countries. The group is currently experiencing an aggressive expansion phase through affiliate recruitment, with attack activity projected to peak in 2026. Recent operations include high-profile compromises of Belgian entities in the construction and business services sectors, leading to significant operational downtime and data exposure.
## Tactics, Techniques & Procedures
* **Extortion Model:** Utilizes a "Double Extortion" strategy—exfiltrating sensitive data before deploying encryption to maximize leverage.
* **RaaS Model:** Operates via a sustained affiliate recruitment program, providing the locker and infrastructure to third-party attackers in exchange for a percentage of the ransom.
* **Affiliate Consolidation:** Actively absorbs infrastructure and personnel from declining or rival ransomware brands.
## Targeting
* **Sectors:** Primarily targets high economic value industries with perceived weaker security postures.
* Manufacturing
* Business Services
* Technology
* Construction
* Healthcare
* **Geography:** Global footprint (30+ countries).
* **Primary Target:** United States.
* **Identified Victims:** At least two organizations in **Belgium** (Construction and Business Services).
* **Prohibited Targets:** CIS/Russia are excluded from targeting.
## Tools & Infrastructure
* **Malware:** DragonForce Ransomware (proprietary locker).
* **Infrastructure:** Maintain a leak site for public data disclosure to facilitate double extortion.
* **C2/Domains:** Specific indicators of compromise (IOCs) are contained within the full CCB technical report (Link: `https[:]//ccb[.]belgium[.]be/open-media/1275/download?inline`).
## Implications
DragonForce represents a growing strategic threat due to its consolidation of the RaaS ecosystem. By absorbing rival groups like BlackLock, they are centralizing ransomware expertise. Their focus on sectors like healthcare and manufacturing suggests a willingness to target critical infrastructure where downtime has immediate financial or life-safety consequences. The group’s operational tempo is trending upward into 2026.
## Mitigations
* **Data Protection:** Implement robust, offline, and immutable backup solutions to negate encryption leverage.
* **Egress Monitoring:** Monitor for large-scale data exfiltration to identify the "double extortion" phase before encryption occurs.
* **Access Control:** Implement multi-factor authentication (MFA) and the principle of least privilege to hinder affiliate initial access.
* **Sector-Specific Defense:** Organizations in construction, manufacturing, and healthcare should conduct targeted threat hunting for TTPs associated with DragonForce and its absorbed affiliates (BlackLock/RansomHub).