Ransomware Spotlight: DragonForce

What organizations need to know about DragonForce
(Water Tambanakua)

DragonForce (tracked by Trend Micro as Water Tambanakua) has shown consistent activity and a clear drive to expand its influence among affiliates. Its tactics also point toward an aggressive and highly opportunistic approach. One example of this is its use of multivariant payloads, in which it reuses leaked builders from LockBit and Conti codebases. By not relying on a single family, the group can switch their payload quickly, making it difficult for defenses to predict and defend.

In addition to its flexible codebase, DragonForce employs a more advanced evasion technique, specifically bring your own vulnerable driver (BYOVD). This technique allows DragonForce to disable endpoint security defenses by exploiting legitimate but vulnerable drivers—a relatively uncommon tactic among ransomware operators.

Overall, these tactics show an agile and ambitious ransomware group. By providing tools for affiliates and encouraging more autonomous operations, the group could be at the root of more attacks in the future. Being aware of DragonForce’s trajectory would be helpful to defending against attacks that may indirectly surface from this group’s ecosystem.

Here is an outline of what organizations should know about the group:

• The group claimed responsibility for several attacks in the UK, including those against well-known retailers in June 2025, signifying the group’s goal of targeting high-profile entities.
• Aside from targeting retailers, it has also been known to target supply-chain/service providers, often using ransomware and data-exfiltration tactics to disrupt operations and leak sensitive information.
• Since its emergence it has rapidly evolved through the years. It began with Lockbit3.0 builders in 2023, then released its own ransomware and leak site in 2024, before rebranding into a ransomware “cartel,” in 2025.
• The group offers affiliates up to 80% of ransom proceeds, in addition to tools for attack management, automation, and customized ransomware campaigns.
• In August 2025, they launched a “data analysis service,” for creating tailored extortion materials — offered to affiliates targeting organizations with an annual revenue of no less than US$15 million.
• The group allows their affiliates to build multiple variants of their ransomware, tailored for platforms including Windows, Linux, EXSi, and NAS.
• Aside from the uncertainty of its connection to a hacktivist group, DragonForce has been linked to Scattered Spider, The Com, BlackLock (Mamona), and RansomHub.
• Organizations should anticipate more diverse and aggressive campaigns linked to this group, including those that don’t carry the DragonForce brand but instead those of their affiliates.

DragonForce timeline

In August 2023, at the start of its ransomware operations, DragonForce targeted companies in critical sectors using a variant of a leaked LockBit 3.0 builder. By June 26, 2024, the group launched an affiliate program that offered 80% of the ransom to affiliates, along with tools for attack management and automation. These tools allowed affiliates to create customized ransomware samples, including disabling security features, setting encryption parameters, and personalizing ransom notes. A month later, in July 2024, DragonForce released their own variant of ransomware, which was reportedly based on Conti V3. The use of leaked LockBit and Conti builders could hint that affiliates have ties to Lockbit and Conti ecosystems.

Figure 1. A sample of activity in 2024, where DragonForce published an audio recording of a victim.

Figure 2. Encrypted files are renamed to random characters + ".dragonforce_encrypted"

DragonForce allows affiliates to build multiple variants of their ransomware, with Windows, Linux, EXSi, and NAS-specific encryptors. In November 2024, we discovered a Linux variant of the ransomware, with findings detailed in the technical section of this report.

Shift to a cartel

On March 19, 2025, they announced their shift to becoming the DragonForce Ransomware cartel. As a cartel, affiliates were encouraged to branch out from the DragonForce brand to build their own, while still using the group’s tools and resources. This change marks a notable shift that was quickly followed by further developments in the months ahead.

Figure 3. Post on DragonForce’s blog advertising their shift into a ransomware cartel.

Links to other ransomware groups

Around the time it shifted into a cartel, DragonForce was also linked to activity involving other RaaS groups. It was tied to attacks from BlackLock, and consequently, Mamona. It also appeared to be in conflict with RansomHub, which had gone offline during this same period.

The nature of these collaborations and takeovers remains uncertain, with security experts speculating that they could stem from hostile rivalry or a simple consolidation of resources.

Whatever the case may be, DragonForce-linked attacks began to grow in prominence in the following months. The group was linked to the UK retail attack back in April, alongside Scattered Spider (Octo Tempest) and loose threat actor collective the “Com.” Reports suggest that Scattered Spider served as the Initial Access Broker while DragonForce handled deployment and extortion.

In June 2025, we identified a new DevMan ransomware variant that seems to further highlight the link between DragonForce and Mamona (BlackLock).

New services

On August 23, 2025, DragonForce introduced a “data analysis service” designed to assist affiliates, and pressure victims of ransomware/data leak attacks into paying. The "service" functions as a risk audit of both the targeted organization and the stolen data, generating materials such as extortion call scripts, drafts of letters to management, and pseudo legal analysis and advice reports. Fees for this service range from 0% to 23% of ransom payments and is specifically marketed to affiliates who target organizations with an annual revenue of at least US$15 million.

Infection chain and techniques

The following section details the initial infection chain observed from DragonForce activity as illustrated in Figure 4.

Figure 4. DragonForce observed infection chain

Technical Details

The ransomware accepts the following arguments:

It encrypts fixed, removable, and network drives.

This ransomware adds the following processes:

• exe shadowcopy delete
• exe /set {default} bootstatuspolicy ignoreallfailures
• exe delete systemstatebackup -keepVersions:3
• exe delete systemstatebackup
• exe /set {default} recoveryenabled No
• exe delete shadows /all /quiet
• exe delete catalog-quiet
• exe {Drive}:\Contact Us.txt

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.locked

It contains a list of strings where it chooses files to avoid. For the variant analyzed, it avoids the encrypting files with the following strings in their file path:

It contains a list of extensions where it chooses files to avoid. For the variant analyzed, it avoids encrypting the following files with the following extensions:

The Linux variant meanwhile accepts the following arguments:

The Linux variant adds the following processes:

• Enumerates VM using the command vim-cmd vmsvc/getallvms
• Turns off all VM’s using the command vim-cmd vmsvc/power.off

The extracted configuration outlines how DragonForce performs its encryption process. Here we specify the logging details, encryption keys, file renaming rules, and operational parameters, such as delay, threading, and extension naming. The configuration is tailored for VMware ESXi environments (notably /vmfs/volumes) while retaining extensive whitelists of system directories, file extensions, and filenames to avoid encrypting critical components required for the host bootability.

Config:

• Log file: encryption.log
• Log params: out=1 trc=0 stat=1 file=1 enc=0
• Keys: 2DB77648B9962A2B FB1B666974A88AA5
• Dry-run: 0
• Encryption params: 16 52428800 0
• Rename: 1 Extension: .dragonforce_encrypted
• Delay: 20 Threads: 4 Detached: 0

Paths:

• /vmfs/volumes

Whitelist paths:

• BOOTBANK1
• BOOTBANK2
• .sdd.sf
• log
• devices

Whitelist extensions:

Whitelisted filenames:

Top affected countries, industries, and business sizes

The US was the most affected by DragonForce, far outstripping other countries in victim count. The UK followed, aligning with the group’s more recent spate of high-profile attacks. Other affected countries include Germany, Australia, and Italy.

Figure 7. The distribution of countries (top 5) targeted by DragonForce

Sources: DragonForce leak site data and Trend open-source intelligence (OSINT) research (Dec. 2023- Aug. 2025)

DragonForce has mostly targeted companies in the manufacturing, construction, IT, and professional services, but overall, it casts a wide net. This demonstrates the group’s more opportunistic behavior, rather than a sector-specific targeting. Their broad approach is typical of RaaS operations with strong affiliate programs. As most of their victims are tied to infrastructure and digital services, it indicates a strategy for maximizing disruption.

Figure 8. A breakdown of the top 10 industries targeted by DragonForce ransomware attacks

Sources: DragonForce leak site data and OSINT research (Dec. 2023- Aug. 2025)

Across all publicly revealed victims, North America remains the primary target, followed by Europe. This trend aligns with DragonForce’s focus on lucrative markets.

Figure 9. The distribution by region of the DragonForce ransomware’s victim organizations, excluding victims with unknown locations.

Sources: DragonForce leak site data and Trend open-source intelligence (OSINT) research (Dec. 2023- Aug. 2025)

While the majority of the DragonForce’s victim organizations were small businesses, the group has not shied away from larger targets.

Figure 10. The distribution by organization size of DragonForce’s victim organizations

Sources: DragonForce’s leak site and Trend Micro’s OSINT research (Dec. 2023- Aug. 2025)

Recommendations

DragonForce stands out for its aggressive affiliate program and ties with other ransomware operations, both defunct and active. Its trajectory suggests that it will continue to be a presence behind future attacks, showing how ransomware groups find ways to evolve and persist through new forms and services. Organizations should monitor its tactics and review standard measures to prevent attacks or minimize their impact.

The following are some best practices can help protect against ransomware attacks:

Audit and
inventory

• Take an inventory of assets and data
• Identify authorized and unauthorized devices and software
• Make an audit of event and incident logs

Configure and
monitor

• Manage hardware and software configurations
• Grant admin privileges and access only when necessary to an employee’s role
• Monitor network ports, protocols, and services 
• Activate security configurations on network infrastructure devices such as firewalls and routers
• Establish a software allow list that only executes legitimate applications

Patch and
update

• Conduct regular vulnerability assessments
• Perform patching or virtual patching for operating systems and applications 
• Update software and applications to their latest versions 

Protect and
recover

• Implement data protection, backup, and recovery measures 
• Enable multifactor authentication (MFA) 

Secure and
defend

• Employ sandbox analysis to block malicious emails 
• Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network 
• Detect early signs of an attack such as the presence of suspicious tools in the system 
• Use advanced detection technologies such as those powered by AI and machine learning

Train and
test

• Regularly train and assess employees on security skills 
• Conduct red-team exercises and penetration tests

Indicators of Compromise (IOCs)

The IOCs for this article can be found here. Actual indicators might vary per attack.