.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Video Summary: Who Are DragonForce and How the Ransomware Affiliate Ecosystem Is Changing
00:03 Introduction
Welcome to our Cyber Shorts series with Sophos, a LinkedIn Live series designed to bring you insights into trending cybersecurity topics.
Following Sophos’ acquisition of Secureworks, including the Counter Threat Unit, this episode shares threat intelligence insights to help organizations better defend against cyber threats.
00:19 Meet the speaker
I’m Susie Evershed, joined by Rafe Pilling, Director of Threat Intelligence.
Today’s discussion focuses on DragonForce, the ransomware group that has recently made headlines following claims of attacks against high-profile British retailers.
00:57 What is DragonForce
DragonForce first emerged around August 2023 as a traditional ransomware-as-a-service group.
Initially, it relied on leaked ransomware lockers and began gaining traction in early 2024, building its presence on underground forums and increasing victim postings on its leak site.
01:30 DragonForce’s cartel model
In March 2025, DragonForce shifted its approach and launched what it describes as a cartel model.
This model allows affiliates to create and promote their own brands while still using DragonForce’s infrastructure, tools, and services.
01:43 What ransomware-as-a-service means
Ransomware-as-a-service is a cybercriminal business model in which operators provide the tools and infrastructure needed for ransomware attacks.
Affiliates then carry out the intrusions, steal data, and work with the service provider to extort victims and publish stolen information.
02:39 How DragonForce differs from older ransomware brands
Older ransomware groups such as LockBit placed heavy value on their own brand and reputation.
DragonForce has inverted that model by letting affiliates operate under their own branding while still relying on DragonForce’s backend services and technical capabilities.
03:37 What affiliates get from DragonForce
Affiliates can access a full management system that includes leak sites, encryption tools for multiple operating systems, secure storage, dark web infrastructure, negotiation tools, and other ransomware services.
This lowers the barrier for affiliates who want the capabilities of a mature ransomware operation without having to build their own infrastructure.
04:38 The role of Scattered Spider
Recent reporting on UK retail attacks has linked DragonForce to the broader Scattered Spider ecosystem.
However, the discussion notes that Scattered Spider is often used as a catch-all label for loosely connected cybercriminal actors rather than a single tightly defined group.
05:38 Why attribution is complicated
DragonForce is a self-identified ransomware brand, while Scattered Spider is a name assigned by cybersecurity researchers to a broader cluster of activity.
In many cases, what people call a Scattered Spider attack may actually reflect shared tactics, social engineering methods, or connections within a wider cybercriminal community rather than direct involvement from one original group.
06:46 Hallmarks of these attacks
These intrusions are often associated with social engineering against help desk and IT staff.
Attackers may call employees, impersonate trusted individuals, and persuade them to reset passwords, bypass multi-factor authentication, or otherwise grant access.
07:19 Advice for detecting this activity
Organizations should focus less on the specific group name and more on detecting the behaviors involved.
That includes preparing staff to recognize social engineering, establishing reporting paths for suspicious activity, and ensuring employees feel empowered to follow process and refuse unsafe requests.
07:56 Protecting help desk and customer-facing staff
Help desk and customer service teams should be trained and supported so they do not feel pressured to bypass security controls, even when a caller claims authority or urgency.
Clear procedures and confidence to say no are essential defenses against this type of attack.
08:35 Monitoring for suspicious access
Organizations should monitor for signs of unauthorized access, including logins from unusual locations, non-standard VPN use, impossible travel alerts, and suspicious use of privileged accounts.
These indicators can help identify attackers who have gained access through social engineering rather than malware.
09:29 Use of legitimate tools after access
Once inside, these groups often rely on legitimate remote management tools and administrative utilities rather than obviously malicious malware.
That makes strong visibility, anomaly detection, and auditing especially important.
10:01 How organizations can protect themselves
Defense is absolutely possible with strong cyber hygiene.
Key protections include patching perimeter systems, enforcing phishing-resistant multi-factor authentication, improving user awareness training, and making sure staff who interact with external callers understand these attack methods.
11:02 Technical controls that strengthen defense
Broad deployment of EDR, NDR, and XDR solutions, combined with authentication and access log collection, can put organizations in a much stronger position to detect account takeovers and unauthorized access before incidents escalate.
11:21 Closing
Thank you for joining this Cyber Shorts episode.
Stay tuned for future episodes, and for more insights be sure to read our blog, follow our social channels, and subscribe to our newsletter.