Credential Theft
- Mimikatz
DragonForce is a ransomware family and ransomware-as-a-service operation active since late 2023.
Profile source: Mallory opens in a new tabDragonForce
DragonForce is a ransomware family and ransomware-as-a-service operation active since late 2023. It is associated with a broader criminal ecosystem that recruits affiliates and has publicly presented itself as a cartel-style operation. DragonForce code has been reported as derived from leaked LockBit 3.0 and Conti ransomware source code, and variants exist for Windows and Linux, including Linux builds targeting VMware ESXi environments.
DragonForce is used to encrypt victim systems and support extortion operations, often alongside data theft. Reported intrusions linked to DragonForce include enterprise compromises in which operators conducted credential access, reconnaissance, lateral movement, and persistence before ransomware deployment. Observed tradecraft around DragonForce incidents includes use of PsExec, Impacket tooling, Mimikatz, remote desktop access, and remote management software. In some campaigns, operators maintained persistence with custom malware after encryption or used advanced evasion methods such as DLL sideloading and bring-your-own-vulnerable-driver techniques to disable security tooling.
The malware supports capabilities consistent with modern enterprise ransomware, including file encryption across local and network-accessible resources, process termination to unlock files, and in Linux ESXi-focused variants, actions to impact virtualized environments. Public reporting also describes DragonForce operators or affiliates using the malware after initial access obtained through exposed remote services, exploitation of edge infrastructure, or access provided by intermediaries such as initial access brokers. Delivery has also been linked in some cases to social-engineering-driven intrusions conducted by Scattered Spider, which authorities and researchers have associated with DragonForce deployment in attacks against retail and ESXi environments.
DragonForce has been observed across multiple sectors and geographies, including high-profile attacks against retail and services organizations. Its operational model, cross-platform support, and association with affiliate-driven intrusion activity place it among the more capable contemporary ransomware threats.
Ransomware.live
Ransomware.live
3a514e164db30acdb3063eb79a23aa4ff0410358a0d9dbd0dff3113d9c744ca799be93aa4c34b39fedcd37663c34511f2dd7cd2bf15eec7d62689435fca9c49c3c311cabe7de6a8c104f8f10541d392d12e22f588f6128cf1a042d1122556cd2e4a4fc96188310b7b07e7c0525b5c0aa15634dc79981e7fba25fb8530cedb9818bcd83352bbd52ca7bda998a52dd0e5c6c755a742f2b2e5c1820f57d0338365f1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D2045.135.232.195Ransomware.live
Reported operators
Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.
Devman is a ransomware operator, believed to be located in Russia, who uses modified DragonForce code built on top of the leaked Conti source code.
The DragonForce Ransomware Group, first detected in December 2023, developed its own ransomware based on LockBit 3.0 (Black) and Conti Ransomware code.
Since at least April 2025, the group has partnered with the DragonForce RaaS program, operated by the group we track as Slippery Scorpius, to extort victims. In one case, we observed attackers exfiltrating over 100 GB of data during a two-day period, with encryption via DragonForce ransomware deployment.
When DragonForce emerged in August 2023, it offered a traditional RaaS scheme. On March 19, 2025, the group announced a rebrand as a ‘cartel’ to expand its reach, hoping to emulate the success of LockBit and other mature ransomware-as-a-service (RaaS) groups.
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
“DragonForce ransomware was first identified in August 2023… DragonForce has two ransomware variants - one based on LockBit Ransomware and another based on the Conti Ransomware variant.”
“DragonForce ransomware was first identified in August 2023… DragonForce has two ransomware variants - one based on LockBit Ransomware and another based on the Conti Ransomware variant.”
The final phase involves deploying ransomware. Recently we have seen the group prefer the DragonForce variant, particularly targeting virtualised environments.
Exploited software
MITRE ATT&CK
Reporting
In one incident, the operator progressed from initial access to ransomware deployment in under an hour. DragonForce was used in the most advanced case.
Across the first half of 2026, the Huntress Tactical Response unit worked a string of intrusions that all rhymed: an edge Citrix NetScaler gateway, sudden anomalous access to the environment, a tidy privilege-escalation, a fake "Citrix" administrator account, off-the-shelf remote-access software, and when the operator got what they wanted—Dragonforce ransomware.
...in its most advanced form, ends in DragonForce ransomware... In the most progressed case, the operator used PsExec, Impacket-based tooling and Mimikatz for lateral movement and credential access before deploying a DragonForce ransomware binary...
Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.
En juillet 2025, le FBI et la CISA avaient publié des recommandations sur les techniques de Scattered Spider, incluant l’usage du ransomware DragonForce pour chiffrer des serveurs VMware ESXi.
Также известно, что в некоторых атаках группировка использовала Android-эмулятор Genymobile, а против британских ретейлеров применяла шифровальщик DragonForce.
According to prosecutors, they commonly use the Genymobile Android emulator during their MFA attacks and have also deployed DragonForce encryptor in ransomware attacks against UK retail companies.
...оператор вымогательской малвари, основанной на исходном коде вредоноса DragonForce (который, в свою очередь, базируется на слитых в сеть исходниках Conti).
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.