{ "id": "16c5c4a3-3a21-4d68-8ea2-5b727cb2117e", "created_at": "2026-04-06T00:10:14.90386Z", "updated_at": "2026-04-10T13:12:13.113351Z", "deleted_at": null, "sha1_hash": "4148dba1c80b0739118dbe67527d611c00dee97b", "title": "The Godfather of Ransomware? Inside DragonForce’s Cartel Ambitions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4300766, "plain_text": "The Godfather of Ransomware? Inside DragonForce’s Cartel\r\nAmbitions\r\nBy Mark Tsipershtein and Evgeny Ananin\r\nPublished: 2026-02-03 · Archived: 2026-04-05 16:27:26 UTC\r\nFebruary 03, 2026 8 Minute Read\r\nThe Cybereason, A LevelBlue Company, Threat Intelligence Team conducted an analysis of DragonForce, a\r\nransomware group that emerged in late 2023 as a significant cyber threat actor.\r\nDragonForce employs advanced methodologies, using a dual-extortion strategy in which they not only encrypt\r\ncritical business data but also exfiltrate sensitive information, threatening to release it on dark web leak sites\r\nunless the ransom is paid.\r\nDragonForce has targeted a variety of sectors, with a notable focus on manufacturing and construction, and has\r\nimpacted several high-profile organizations. The group has shown adaptability by continuously refining its tools\r\nand tactics, moving from dedicated victim sites to a centralized domain for hosting leaked data. This rapid\r\nevolution keeps them a persistent and growing threat to businesses worldwide.\r\nFigure 1. DragonForce’s data leak site (DLS).\r\nKey Points\r\nAdvanced Ransomware Features and Multi-Platform Support: DragonForce provides a highly flexible\r\nransomware-as-a-service (RaaS) platform that supports various encryption modes, including full, header,\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 1 of 19\n\nand partial encryption, across multiple platforms, including Windows, Linux, ESXi, and NAS systems.\r\nIts key features include customizable encryption modes for individual files anddelayed-start options for launching\r\nattacks. Additionally, the service supports multithreading to improve performance, detailed logging to track the\r\nencryption process, and a dry-run option to test the attack without performing actual encryption.\r\nNew Strategic Direction for DragonForce Ransomware Cartel: DragonForce has announced a shift in\r\nits operational model, now allowing affiliates to create their own brands under the DragonForce\r\nransomware cartel umbrella. This new direction enables affiliates to run its own \"projects,\" offering more\r\nautonomy, while still benefiting from the cartel's infrastructure and experience. The cartel is currently in a\r\nglobal update mode, signaling changes to their operational strategies and potentially an expanded network\r\nof affiliates. This move reflects the cartel's evolving approach to scaling its ransomware operations.\r\nTop Targeted Sectors and Countries by DragonForce: DragonForce has primarily targeted the\r\nmanufacturing, business services, technology, and construction sectors. The group’s attacks have been most\r\nprevalent in the US, UK, Germany, Australia, and Italy. These industries and countries represent the highest\r\nconcentration of DragonForce's ransomware activities.\r\nDragonForce Ransomware-as-a-Service\r\nDragonForce Ransomware-as-a-Service (RaaS) Program Overview\r\nThe DragonForce RaaS program provides a comprehensive suite of services and tools for cybercriminal affiliates,\r\nenabling them to conduct ransomware attacks across a variety of platforms, including Windows, Linux, ESXi,\r\nBSD, and NAS systems.\r\nThe program promises complete automation of all processes, including file encryption, server management, and\r\nattack execution.\r\nIt is designed to be highly flexible, supporting full, header, and partial encryption modes, customizable encryption\r\noptions for individual files, delayed starts, and both local and network modes.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 2 of 19\n\nFigure 2. DragonForce’s list of key features posted on a dark web forum.\r\nKey features of the program include:\r\nUnlimited number of brands within one team, allowing affiliates to operate independently.\r\nPETABYTES of storage, with a dedicated infrastructure for monitoring servers 24/7.\r\nFree partner services, which include professional file analysis, decryption of complex hashes, and\r\ndedicated storage space for affiliates’ files.\r\nMultithreading capabilities to improve performance and detailed logging for tracking encryption progress.\r\nThe option to perform ransomware dry runs without actual encryption, helping affiliates test attacks before\r\ndeployment.\r\nThe service also supports cross-platform encryption for a wide range of operating systems, ensuring that\r\nDragonForce can scale its attacks to diverse environments.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 3 of 19\n\nFigure 3. A post on detailing how DragonForce works on Windows, ESXi, Linux, BSD, and NAS.\r\nFigure 4. DragonForce’s ESXi encrypter command-line options.\r\nCommand-Line Arguments:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 4 of 19\n\n-paths: Enforces search mode in the file system.\r\n-vmsvc: Forces search in the ESXi detection mode using vim-cmd.\r\n-n: Do not perform encryption/decryption (only file detection).\r\n-h H -m M -s S: Wait H hours, M minutes, and S seconds before starting.\r\n-e M X Y: Encryption mode with parameters M, X, and Y.\r\n-p PATH: Redefines the file system paths for detection.\r\n-l LOGFILE: Redefines the log file location.\r\n-j X: Redefines the number of threads to use.\r\n-q: Disables output to STDOUT.\r\n-v: Enables detailed logging.\r\n-wvi ID: Redefines the list of ignored BMs by ID.\r\n-wv NAME: Redefines the list of ignored BMs by name.\r\nFigure 5. DragonForce’s ESXi encrypter configuration options\r\nConfiguration File Options:\r\ndry_run: Mode without actual encryption/decryption (for testing purposes).\r\nencryption.extension: Defines the file extension for encrypted files.\r\nencryption.rename: Renames encrypted files.\r\nencryption.mode: Specifies the encryption mode (options: striped, percent, header, normal).\r\nencryption.p1, encryption.p2: Parameters for encryption mode.\r\nwork_mode: Specifies the working mode (options: vmsvc, paths).\r\npaths: Paths for encrypting files.\r\nnote_file: Name of the file that stores the ransom note.\r\nlog.file: Path to the log file.\r\nlog.encrypted: Enables encryption logging.\r\ndelay: Delay before starting the encryption process (in seconds).\r\nwhitelist.paths: Directories to be excluded from encryption.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 5 of 19\n\nwhitelist.extensions: File extensions to be excluded from encryption.\r\nwhitelist.filenames: Specific file names to be excluded from encryption.\r\nwhitelist.vm_ids: Virtual machine IDs to be excluded from encryption.\r\nwhitelist.vm_names: Virtual machine names to be excluded from encryption.\r\nFigure 6. Ransomware client builder.\r\nFigure 7. Configuration interface.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 6 of 19\n\nFigure 8. DragonForce announced support for Oracle ASM and project RansomBay.\r\nFigure 9. DragonForce’sRansomBay project.\r\nDragonForce has recently created an automated registration service for those interested in joining its ransomware\r\noperations. This change allows new affiliates to register directly without prior approval or extensive vetting,\r\nunlike previous practices that required a significant monetary deposit and detailed background checks.\r\nFigure 10.\r\nFigure 11. DragonForce’s automated registration system.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 7 of 19\n\nFigure 12. An advertisement of DragonForce’s new automated registration system.\r\nDragonForce also announced that its upcoming “product”, DragonForce - Atom, will be released soon.\r\nUnfortunately, the group has not published the details yet on the new product.\r\nFigure 13. DragonForce’s announcement of its new DragonForce – Atom product.\r\nProfessionalization of Ransomware Operations Through Data Audits\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 8 of 19\n\nRather than advertising malware or access, DragonForce created the “Company Data Audit” service to support\r\nransomware affiliates during extortion campaigns. The service is positioned as complementary to decryption and\r\nnegotiation support, with the stated goal of strengthening leverage over victims by analyzing stolen data and\r\nclearly articulating business, legal, and reputational risks.\r\nThe audit includes a detailed risk report, prepared communication materials, such as call scripts and executive-level letters, and strategic guidance designed to influence negotiations. An example provided references a mining\r\ncompany breach in which stolen satellite imagery allegedly exposed sensitive mineral deposit locations,\r\nillustrating the group’s emphasis on extracting strategic and non-obvious value from exfiltrated data. The service\r\nis offered under a commission-based model, with higher percentages charged for post-incident or “historical”\r\ncases.\r\nOverall, the content highlights the continued professionalization of ransomware operations and the expansion of\r\ntheir supporting ecosystems. It reflects a shift toward intelligence-driven extortion, where threat actors invest in\r\ndata analysis, tailored messaging, and negotiation strategy to maximize ransom outcomes, mirroring legitimate\r\nconsulting and risk assessment practices.\r\nFigure 14. DragonForce promotes a value-added service offered by threat actors associated with the\r\nDragonForce ransomware ecosystem.\r\nDragonForce Vs RansomHub\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 9 of 19\n\nAfter announcing its transition into a ransomware cartel, DragonForce aggressively moved against rival groups,\r\nlaunching harassment campaigns and defacing the leak site of competitor BlackLock within 24 hours.\r\nThe group then turned its attention to RansomHub, whose infrastructure went offline on April 1, 2025.\r\nDragonForce claimed RansomHub had joined the cartel and even created a dedicated portal for former\r\nRansomHub affiliates migrating and adopting the DragonForce branding. RansomHub pushed back publicly, with\r\nspokesperson Koley accusing DragonForce of sabotage, internal betrayal, and even cooperating with law\r\nenforcement.\r\nFigure 15. DragonForce claimed RansomHub had joined the cartel and even created a dedicated portal for its\r\naffiliates.\r\n \r\n Figure 16. RansomHub publicly denied that it joined DragonForce.\r\nAs part of the escalating conflict between DragonForce and RansomHub, a RansomHub spokesperson publicly\r\naccused DragonForce of having contacts within the Russian FSB intelligence service, implying that DragonForce\r\nleveraged these connections to undermine or sabotage rival ransomware groups.\r\nDragonForce also targeted the BlackLock ransomware group by defacing its leak site:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 10 of 19\n\nFigure 17. DragonForce defaced the RansomLock ransomware group’s DLS.\r\nFormation of a Cybercrime Cartel\r\nCybereason’s threat intelligence team has information that a representative of the DragonForce ransomware group\r\nissued an open call for cooperation among major ransomware operations, explicitly naming LockBit and Qilin.\r\nThere is also evidence that Nova RaaS group representatives participated in this initiative.\r\nThe DragonForce representative’s message proposed establishing communication channels between groups,\r\nstandardizing competitive conditions, and eliminating public conflicts. The author advocated for mutually agreed-upon rules, including equal terms for affiliates, no undercutting of deposit or profit-share percentages, and\r\nmaintaining a professional level of conduct. The stated objective is to stabilize the ransomware “market,” increase\r\ncollective profits, and present a unified front.\r\nShortly after issuing its public call for cooperation, DragonForce released an official statement announcing the\r\nformation of a “coalition” between Qilin, LockBit, and DragonForce.\r\nFigure 18. A post announcing the formation of a coalition between Qilin, LockBit, and DragonForce.\r\nDragonForce Or DragonForce?\r\nClaims alleging a relationship between DragonForce Malaysia and the DragonForce ransomware group remain\r\nunsubstantiated. On October 28, 2025, DragonForce Malaysia publicly denied any affiliation or involvement with\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 11 of 19\n\nthe DragonForce ransomware operation, stating that such allegations are based on indirect and weak evidence and\r\nthat ransomware activity is inconsistent with its mission and objectives.\r\nFigure 19. DragonForce Malaysia rejected accusations linking the group to ransomware activities attributed to\r\nthe DragonForce ransomware/APT cluster. \r\nFigure 20. In the early stages of its operations, the DragonForce ransomware group had a profile on\r\nBreachForums.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 12 of 19\n\nFigure 21. One of the early posts of the user “dragonfoce” on BreachForums.\r\nIn a leaked database from BreachForums, it was discovered that a user associated with the DragonForce username\r\nhad registered using the email address bjorkaact@.\r\nFigure 22. BreachForums leaked data showing the DragonForce username and its associated email address.\r\nProfiles associated with DragonForce have been identified across different versions of BreachForums, each with a\r\ndifferent registration date. A user profile from BreachForums version 2 shows a registration in 2023, while a\r\nseparate leak from BreachForums version 1 reveals a DragonForce profile with a registration date in 2022.\r\nBjorka is a well‑known cyber threat actor alias associated with a string of high‑profile data breaches and leaks that\r\nfirst appeared on underground forums like RaidForums and later BreachForums.\r\nAlias Bjorka has been tied to Babuk2 or “Babuk‑Bjorka,” which emerged in early 2025, while mostly recycling\r\ndata already leaked by other groups such as RansomHub and FunkSec.\r\nIn a January 2026 database leak from a newer version of BreachForums, a user associated with the DragonForce\r\nnickname had registered using the email address Albikatoras555[@]protonmail[.]com.\r\nFigure 23. BreachForums 2026 database entry for “dragonforce”.\r\nAdditionally, OSINT indicates the DragonForce ransomware Onion blog has been associated with a clear-net IP\r\naddress that appears in FOFA search results as being hosted within infrastructure geolocated to the Russian\r\nFederation.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 13 of 19\n\nFigure 24. DragonForce’s Onion blog FOFA search results.\r\nThe IP association was first identified by @RakeshKrish12 and independently confirmed by the Cybereason\r\nThreat Intelligence Team.\r\nCurrently, the DragonForce group has fixed the IP leak, so the Onion website cannot be easily located on the\r\npublic Internet.\r\nFigure 25. Let’s Encrypt SSL certificate.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 14 of 19\n\nAmong the other IPs seen hosting the DragonForce infrastructure, we have observed the following IP addresses to\r\nbe in use:\r\n193[.]233.175.213\r\n95[.]164.53.64\r\n91[.]108.244.85\r\n46[.]29.238.160\r\n46[.]29.238.123\r\n87[.]121.47.15\r\nTechnical Analysis\r\nIn this section, we performed an analysis of the ransomware executable file and observed similarities in technique\r\nwith other ransomware groups.\r\nThe file hash is as follows:\r\nc5554ab2ea04e9d938a47b09ea34ebedb46c223a500aa70f08f4b2dc6864bd90\r\nFigure 26. “Detect it Easy” analysis information.\r\nThe mutex hsfjuukjzloqu28oajh727190 is a hardcoded identifier first documented in a ransomware sample derived\r\nfrom the leaked Conti source code, where it was used to ensure only one instance of the malware runs at a time on\r\na victim’s machine. This mutex appears in ransomware families known to reuse Conti components, including\r\nDragonForce variants.\r\nFigure 27. DragonForce mutex.\r\nThe DragonForce ransomware group is known to scan SMB ports within IP ranges during its operations. This scan\r\nis part of the group's network reconnaissance activities, used to identify vulnerable systems and potential targets\r\nfor ransomware deployment.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 15 of 19\n\nFigure 28. DragonForce scans local machines for reconnaissance.\r\nFigure 29. Shadow copy delete via WMIC.\r\nThe group utilizes the wmic.exe command with the shadowcopy function, specifically using the command\r\nwmic.exe shadowcopy where \"ID='{id}'\" delete. This command is employed to delete volume shadow copies,\r\nwhich are commonly used by ransomware to erase backup copies of files.\r\nFigure 30. Encrypted files\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 16 of 19\n\nFigure 31. DragonForce’s ransom note.\r\nThe Cybereason platform successfully detected the malicious payload associated with the DragonForce\r\nransomware, identifying and blocking its attempt to delete shadow copies via the wmic.exe command.\r\nAdditionally, the product detected and prevented the ransomware from encrypting files, ensuring that critical data\r\nremained intact and secure.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 17 of 19\n\nFigure 31. Detection and prevention.\r\nCybereason’s analysis shows that DragonForce is a highly adaptive, rapidly evolving ransomware operation, that\r\ncombines sophisticated RaaS features, dual-extortion tactics, and cross-platform capabilities (Windows, Linux,\r\nESXi). With its automated persistence mechanisms, flexible propagation methods, and extensive support for\r\naffiliates, DragonForce can scale its attacks efficiently and bypass basic defenses. Its swift publication of victim\r\ndata, powerful encryption, EDR evasion techniques, and lateral movement capabilities make it a persistent and\r\nsignificant threat to organizations, with the potential to disrupt a wide range of industries globally.\r\nRecommendations:\r\nFollow and hunt “DragonForce” Locker affiliate activity to identify pre-ransomware behaviors\r\nPromote cybersecurity best practices such as multifactor authentication (MFA) and patch management.\r\nRegularly back up files and create a backup process and policy: Restoring your files from a backup is the\r\nfastest way to regain access to your data\r\nKeep systems fully patched: Make sure your systems are patched to mitigate vulnerabilities\r\nIf nefarious activity is detected, immediately involve Incident Response services to execute a thorough\r\ninvestigation and containment process to fully eliminate the threat actor from the infected network\r\nFor Cybereason customers on the Cybereason Defense Platform: DragonForce ransomware is detected\r\nwith the default configuration of the Defense Platform. To ensure detection and effective prevention of\r\nDragonForce-related activity, these security features must be enabled:\r\nEnable Anti-Malware and set the Anti-Malware Signatures mode to Prevent, Quarantine, or\r\nDisinfect.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 18 of 19\n\nEnable Anti-Ransomware (PRP), set Anti-Ransomware to Quarantine mode and enable shadow\r\ncopy protection\r\nEnable Application Control\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution\r\nprevention.\r\nIOCs\r\nMITRE ATT\u0026CK Mapping\r\nSource: https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions" ], "report_names": [ "the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "13623ffb-4701-4f3d-bf32-8826346433ac", "created_at": "2024-12-21T02:00:02.850766Z", "updated_at": "2026-04-10T02:00:03.784245Z", "deleted_at": null, "main_name": "FunkSec", "aliases": [], "source_name": "MISPGALAXY:FunkSec", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434214, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4148dba1c80b0739118dbe67527d611c00dee97b.pdf", "text": "https://archive.orkl.eu/4148dba1c80b0739118dbe67527d611c00dee97b.txt", "img": "https://archive.orkl.eu/4148dba1c80b0739118dbe67527d611c00dee97b.jpg" } }