Ethical Hacking News
DragonForce, a new ransomware-as-a-service operation, has claimed numerous victims worldwide and gained attention for its affiliates and geographic restrictions. Experts highlight concerns over its strategic approach to expanding operations while also emphasizing the potential risks associated with lowering technical barriers to entry.
DragonForce is a new ransomware-as-a-service (RaaS) operation that has already claimed numerous victims, including prominent retailers. The group began operations in August 2023 but gained significant traction in 2024 after affiliates started advertising its services on dark web forums. DragonForce restricts attacks on certain geographic regions, specifically those within the Commonwealth of Independent States (CIS), which includes Russia and former Soviet republics. The group's strategy aims to attract as many affiliates as possible, increasing potential victims and profits. DragonForce also has a restriction against targeting hospitals housing "critical patients, children, and the elderly". The group's origins are unclear, with speculation that it may not be based in Russia but has used language suggesting otherwise.
In a recent development that highlights the evolving nature of cyber threats, a new ransomware-as-a-service (RaaS) operation known as DragonForce has emerged, leaving cybersecurity experts to sound the alarm over its affiliates and geographic restrictions. As reported by The Register, this latest threat actor has already claimed numerous victims, including prominent retailers such as Marks & Spencer, Co-op, and Harrods, with information stolen from customers also reportedly being held for ransom.
According to sources, DragonForce began operations in August 2023 but didn't gain significant traction until the following year when affiliates started advertising for DragonForce's services on dark web forums. Since then, it has become one of the most prolific ransomware groups of 2024, with its operators claiming over 158 victims as of the latest report.
What sets DragonForce apart from other RaaS operations is its strategic decision to restrict attacks on certain geographic regions, specifically those within the Commonwealth of Independent States (CIS), which includes Russia and former Soviet republics. This move was seen as a deliberate attempt by the operators to avoid potential attention from Russian law enforcement agencies. However, the extent of this restriction remains unclear.
As noted by Tim Mitchell, senior threat researcher at Sophos Counter Threat Unit, "This is about DragonForce trying to attract as many affiliates as it can to its operation... The more people it has deploying ransomware and stealing data, the more potential victims it has paying ransoms, so the higher the profits." This strategy highlights the evolving tactics used by cyber threats actors in recent years.
According to Genevieve Stark, head of cybercrime, hacktivism, and information operations intelligence analysis for the Google Threat Intelligence Group, "The affiliate rules prohibit attacks on organizations in Commonwealth of Independent States nations and former Soviet Union countries; however, this restriction is extremely common and is not necessarily indicative of location." This nuanced view underscores the complexity of attributing the origins of cyber threats actors.
DragonForce also draws a line at using its ransomware to target hospitals housing "critical patients, children, and the elderly." The gang explicitly warns affiliates against such actions on its forums. However, there remains speculation about DragonForce's geographical origins, with some claiming that the group may not be based in Russia but has used language suggesting otherwise.
The nature of DragonForce's operations also raises concerns about the ease with which new actors can join and participate in RaaS operations. This "lowering of the technical bar to entry" could potentially increase the risk posed by these groups, according to Mitchell, who notes that such an operating model might attract unwanted attention from law enforcement.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Ransomware-as-a-Service-Operation-DragonForce-Raises-Concerns-Over-Affiliates-and-Geographic-Restrictions-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/15/dragonforce_ransomware_uk_retail_attacks/
Published: Thu May 15 03:16:38 2025 by llama3.2 3B Q4_K_M
