ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Inside the Ecosystem & Operations: DragonForce Ransomware Group
2026.02.19

✅ Report Title: Inside the Ecosystem & Operations: DragonForce Ransomware Group



✅ Executive Summary:


- DragonForce is a ransomware group active since December 2023. It operates under a Ransomware-as-a-Service (RaaS) model and promotes itself as a cartel to expand its influence.



📌 Who Is the DragonForce ransomware Group?


- DragonForce ransomware carried out attacks against 363 companies from December 2023 to January 2026, showing an increasing trend in activity starting in 2025.



📌 DDW History of the DragonForce ransomware group


- The DragonForce ransomware group is active on several dark web forums, including BreachForums, RAMP, and Exploit.


- DragonForce distinguishes itself from other RaaS groups by offering services beyond standard ransomware operations.


- DragonForce has targeted rival groups and formed public alliances to strengthen its position within the ransomware ecosystem.



📌 Other Related Group


- Groups associated with DragonForce include BlackLock, RansomHub, Scattered Spider, DEVMAN, and LockBit.


- In some cases, it engaged in adversarial relationships through infrastructure-level attacks, while in others, it demonstrated associations based on similarities in source code, binaries, and ransom notes.


- DragonForce also attempted public cooperation with Qilin and LockBit.


- The following groups either maintained adversarial relationships with DragonForce or showed signs of operational association.



Groups adversarial to or associated with DragonForce



📌 Affiliate Infiltration Findings


- DragonForce’s affiliate panel provides functionality for client management, build generation, team coordination, content publishing, and support ticket handling.



📌 TTP(Tactics, Techniques and Procedures) Analysis


- DragonForce primarily conducts initial access through remote desktop servers. After collecting credentials, it deploys DragonForce ransomware across the entire network to which the compromised system belongs.



📌 Binary Analysis


- DragonForce ransomware exists in versions for Windows and Linux (ESXi, NAS, RHEL).



✅ Recommended Threat Detection and Mitigation Actions:


As the attack involves privilege escalation through the exploitation of a vulnerable driver, detection by conventional antivirus solutions may be challenging. Therefore, it is recommended to update the driver to the latest version and add the vulnerable driver to the blocklist as a mitigation measure.



👉 Read the full report: https://bit.ly/4kROZis


🧑‍💻 Author: S2W TALON


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb: February 2026, Week 2
2026.02.18
Previous
News Highlights
Weekly Darkweb: February 2026, Week 3
2026.02.25
Next
List