.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Senior Threat Researcher, Aidan Sinnott joins Senior PR Manager, Susie Evershed to unpack the business model behind the ransomware group Dragonforce. Their white-label ransomware-as-a-service model is not only enabling more cybercriminals to launch attacks but also reshaping the underground economy. Just days after Sophos published a blog on Dragonforce's operations, their ransomware was allegedly used in a high-profile attack on UK retailer Marks & Spencer.
Video Summary: DragonForce Targets Rivals - Behind the Scenes of the Ransomware Turf War
00:04 Introduction
Welcome to our Cyber Shorts series with Sophos, a LinkedIn Live series designed to bring you insights into trending cybersecurity topics.
If you watched our first episode, you'll know that Sophos recently acquired Secureworks, including the Counter Threat Unit, which delivers threat intelligence on the global threat landscape.
Today we're sharing some of those insights and explaining how organizations can use them to better understand and defend against cyber threats.
00:31 Meet the speakers
I'm Susie Evershed, and I'm joined by Aiden Sinat, Senior Threat Researcher.
Thanks for joining us today.
Around a month ago we published a blog based on your observations about the ransomware group DragonForce and the business model they’re operating.
00:44 DragonForce’s white-label ransomware model
Your research showed that DragonForce is effectively white-labeling its ransomware, allowing other cybercriminal groups to use its infrastructure and tools.
Just a few days after that blog was published, the ransomware was allegedly used in an attack on British retailer Marks & Spencer, which caused major disruption.
But there’s a lot more happening behind the scenes in the ransomware ecosystem.
01:09 Background on DragonForce
DragonForce has been active since around 2023, originally operating as a traditional Ransomware-as-a-Service (RaaS) group.
However, earlier this year they introduced a white-label ransomware model, allowing affiliates to create their own ransomware brands while using DragonForce’s infrastructure.
Instead of operating under the DragonForce name, affiliates can launch their own ransomware operations with their own branding and leak sites.
01:58 Activity targeting rival ransomware groups
DragonForce promoted this model on the underground forum RAMP, and at the same time we observed activity targeting rival ransomware groups.
Two groups in particular — BlackLock and Mamona — had their leak sites defaced with DragonForce branding and links to the DragonForce leak site.
Shortly afterward, a post appeared on the RansomHub leak site, which appeared to promote DragonForce and welcome affiliates to what they called the “DragonForce cartel.”
03:00 Conflict with RansomHub
This situation didn’t go down well with RansomHub, which had become one of the most prolific ransomware groups following the disruption of LockBit and BlackCat.
Posts appeared from RansomHub operators pushing back against DragonForce, accusing them of attacking other groups.
Around the same time, the RansomHub leak site went offline, creating even more uncertainty in the ransomware ecosystem.
04:06 DragonForce’s competition for dominance
We believe DragonForce may be attempting to establish itself as a dominant ransomware brand.
Since launching its white-label model, the group has made several aggressive moves to promote itself and challenge competitors.
Public messages from RansomHub operators on underground forums show clear tension between the two groups.
05:02 A constantly shifting ransomware ecosystem
The ransomware ecosystem is extremely fluid.
Affiliates often move between groups, and ransomware gangs frequently rebrand, disappear, or relaunch with new infrastructure.
The RansomHub leak site has been offline since April, and it’s unclear whether the group will reappear under a new name or structure.
06:16 Are the retail attacks confirmed?
At the moment, DragonForce has not officially listed any of the recent retail attacks on its leak site.
During the attacks their infrastructure was actually offline for roughly two weeks.
Now that their systems are back online, there is still no confirmed victim listing, which suggests negotiations may still be ongoing.
07:22 Why threat intelligence matters
Understanding the threat landscape is critical for defending organizations.
While DragonForce is currently grabbing headlines, there are hundreds of other ransomware groups using similar tactics.
Our job is to understand these groups — their tactics, techniques, and procedures (TTPs) — so we can inform customers and help them protect their environments.
This research also feeds directly into the development of our security technologies and detection capabilities.
08:38 Cybersecurity advice for organizations
Organizations should focus on strong cybersecurity fundamentals.
Key recommendations include:
- Identifying and patching vulnerable services
- Implementing phishing-resistant multi-factor authentication
- Monitoring networks and endpoints for suspicious activity
- Maintaining segmented backups to enable recovery
- Developing and regularly testing an incident response plan
The goal is to prepare for the worst while hoping for the best.
09:46 Closing
Thank you so much, Aiden, for sharing those insights.
And thank you to everyone who joined us today.
Stay tuned for future Cyber Shorts episodes, and for more insights make sure you’re reading our blog and following our social channels.