Hackers affiliated with DragonForce assert involvement in the data breach at Belk department stores.

Hackers affiliated with DragonForce assert involvement in the data breach at Belk department stores.

DragonForce, a notorious ransomware-as-a-service (RaaS) operation, has gained notoriety for high-profile attacks on retail firms since its emergence in late 2023. The group's affiliate structure is not as widely documented as some of its competitors, but there are clear linkages to other cybercriminal groups.

**Primary Affiliates and Collaborations**

One of DragonForce's most notable known affiliates is Scattered Spider, a cybercrime group known for social engineering and initial access brokerage. There is strong evidence that these two groups have collaborated, particularly in attacks against UK retailers. Tactics used in these breaches, such as posing as internal IT support, are directly attributed to Scattered Spider, suggesting their members may be acting as DragonForce affiliates.

Before their current activity, the DragonForce operators are known to have used several RaaS strains, including RansomHub and Qilin. However, their relationship with RansomHub soured, leading to public accusations of sabotage and a collapse of any previous cooperative relationship. This suggests DragonForce does not maintain stable, friendly affiliations with rival RaaS groups but rather engages in turf wars for market dominance.

**Affiliate Recruitment and Turf Wars**

DragonForce has aggressively recruited affiliates, mirroring strategies seen in the LockBit–BlackCat rivalry and RansomHub’s recruitment drives after the LockBit takedown. Their dominance tactics include both recruitment and sabotage, particularly against rival groups like RansomHub and (allegedly) BlackLock, whose data leak site was defaced by DragonForce, leading to the emergence of a rebranded operation (GLOBAL GROUP).

**DragonForce’s Ransomware-as-a-Service (RaaS) Model**

Like other RaaS groups, DragonForce operates a criminal franchise model where affiliates (often initial access brokers or penetration specialists) gain access to victim networks and deploy DragonForce-branded ransomware. In return, affiliates receive a cut of the ransom payments. DragonForce maintains a dark web blog where it names and shames victims—particularly those who refuse to pay ransoms—to pressure companies into compliance. This tactic, known as double extortion, involves both encrypting data and threatening to leak stolen information if payment is not made.

DragonForce adheres to a policy of avoiding attacks on critical infrastructure and organizations in former Soviet states, which may be an effort to avoid drawing excessive law enforcement attention from Russian-speaking authorities.

**Attack Methods and Tools**

DragonForce affiliates, such as Scattered Spider, often use social engineering to gain initial network access. Once inside a network, attackers deploy ransomware payloads, exfiltrate data, and use double extortion tactics to maximize pressure on victims. While less is known about DragonForce’s specific negotiation tactics, RaaS operators typically provide affiliates with automated negotiation tools.

**Key Takeaways**

- DragonForce's most notable known affiliate is Scattered Spider, with evidence of shared tactics and victims in retail sector attacks. - The group's RaaS model relies on affiliates to breach networks, deploy ransomware, and negotiate ransoms, with DragonForce providing the malware and infrastructure while taking a cut of the profits. - DragonForce actively competes with other RaaS groups, engaging in recruitment drives and sabotage to dominate the ransomware ecosystem, rather than forming stable alliances. - The group avoids certain high-risk targets to minimize geopolitical and law enforcement risks. - Arctic Wolf researchers also provided screen shots from the leak site. - DragonForce rebranded itself as a cartel earlier this year, allowing other operators to use its hacking infrastructure and launch attacks under their own names or under the DragonForce name. - Each victim posted on the DragonForce leak site could be posted by a different affiliate, making it hard to immediately draw links between individual victims. - Recently, DragonForce claimed responsibility for an attack on North Carolina-based department store chain Belk, with approximately 156 gigabytes of data reported to have been stolen. A spokesperson for Belk did not immediately respond to a request for comment. The data accessed from Belk was accessed in early May.

1. The cybersecurity community closely monitors the activities of DragonForce, a ransomware-as-a-service (RaaS) operation, due to their high-profile attacks on retail firms since 2023, with one of their significant affiliates being Scattered Spider, known for social engineering and initial access brokerage.
2. General news outlets and crime-and-justice sectors report on the turf wars between DragonForce and other RaaS groups, as DragonForce recruit affiliates aggressively, emulating strategies similar to LockBit and BlackCat, and engaging in sabotage against rivals like RansomHub and (allegedly) BlackLock.
3. In the data-and-cloud-computing industry, cybersecurity experts stress the need for robust security measures against ransomware attacks, as groups like DragonForce continue to evolve, developing sophisticated techniques such as double extortion, threatening to leak stolen information in addition to encrypting data, to maximize pressure on victims.

Read also: