Among the recent news about British retailers being hit by cyber-attacks, you might have seen the name DragonForce and its potential links to the cybercrime group believed to be responsible for at least one of the attacks, Scattered Spider.

Retailers and other companies that supply goods and services to the retail sector are rightly concerned about the recent spate of attacks, with supermarket supplier Peter Green Chilled being the latest firm to report that it’s been the victim of a cyber-attack. Many are wondering how to strengthen their cyber security and protect their customers’ data.

Timeline of DragonForce: From hacktivist to financially motivated criminal cartel

DragonForce Malaysia emerged as a prominent pro-Palestinian hacktivist group in 2021 when it  focused on politically motivated cyber operations, targeting government agencies and organisations across the Middle East and Asia. It gained more notoriety this year when it announced in an underground forum post, in March 2025, that it was re-branding as a ‘cartel’.

By mid-2023, the group moved over to ransomware activities and expanded its objectives to include financial extortion. DragonForce achieved its ransomware activities in part by leveraging leaked source codes from other notorious ransomware groups such as LockBit 3.0 and Conti. By June 2024 DragonForce had launched a full affiliate programme, allowing other cybercriminals to use its ransomware platform under a white-label model.

In ransomware attacks, adversaries typically steal data and threaten to sell it or leak it on the dark web unless the victim pays a ransom by a deadline. If the deadline isn’t met, the cybercriminal might increase the fee. And it might also encrypt the company’s data to prevent them accessing it. In some cases, the criminals might start sending data to the business’s customers to prompt those customers to pressure the business to pay the ransom.  When the victim organisation is a household name, there’s a greater chance that the media will tell the story, giving the criminals some notoriety as well.

DragonForce’s evolution from a hacktivist group to a ransomware group highlights its adaptability and growing influence in the threat landscape. The group’s ambition was to become a ransomware cartel. This model allows various threat actors to initiate unique campaigns while leveraging DragonForce’s code and servers to boost their recent activity using media exposure.

In pursuit of the dragon

The cyber security community is closely monitoring both groups’ activities. Quorum Cyber’s Threat Intelligence team has revealed its findings on Scattered Spider, which is also known as Octo Tempest, UNC3944, and 0ktapu, and has also produced a detailed report about the DragonForce ransomware group.

To date, we know that DragonForce has targeted a wide variety of sectors, including manufacturing, real estate, transportation, healthcare, and commerce and retail. So, it’s a good assumption that all sectors could be targets today and in the future.

From our analysis, we believe that DragonForce is switching tactics slightly. Rather than encrypt data before stealing it, the group is speeding things up by missing the encryption part and just stealing the data. This saves them time and reduces their chances of being caught in the act. And we think, as with many ransomware groups, that their ransom fee is proportionate to the estimated value of the compromised organisation. In short, the more valuable the victim, the larger the ransom.

Learn more about DragonForce

To find out much more about the DragonForce ransomware group and its Ransomware-as-a- Service (RaaS) model, download our free DragonForce Ransomware Report. To discuss how to strengthen your business’s cyber security and boost its cyber resilience, please contact us today.