Here's what we know about the DragonForce ransomware that hit Marks & Spencer
(2025/05/15)
- Reference: 1747290732
- News link: https://www.theregister.co.uk/2025/05/15/dragonforce_ransomware_uk_retail_attacks/
- Source link:
DragonForce, a new-ish ransomware-as-a-service operation, has given organizations another cyber threat to worry about — unless they’re in Russia, which is off limits to the would-be extortionists.
The gang started operations in August 2023 but its ransomware didn't gain much traction until the following year, when DragonForce operators began advertising for affiliates on dark web forums. The gang has since claimed many victims and drawn the attention of the FBI, which [1]found it was one of 2024’s most prolific ransomware sources.
As of this month, DragonForce has listed 158 victims, and in March the crew [2]rebranded itself as a "cartel" that enables affiliates to create their own brands.
[3]
The resulting service allows other crooks to use DragonForce’s infrastructure and tools to deploy any ransomware – not just the gang’s own evil code.
[4]
[5]
"This is about DragonForce trying to attract as many affiliates as it can to its operation," Tim Mitchell, senior threat researcher at Sophos Counter Threat Unit, told The Register . "The more people it has deploying ransomware and stealing data, the more potential victims it has paying ransoms, so the higher the profits."
Infosec researchers believe DragonForce ransomware was used in the late-April attacks that claimed victims including retailers [6]Marks & Spencer , [7]Co-op, and Harrods .
Russian? Or not Russian?
DragonForce's rebrand announcement included a warning not to attack targets in the Commonwealth of Independent States, a ten-nation bloc centered on Russia and former Soviet republics. Researchers, however, can’t find evidence that the ransomware operators reside in Russia.
"The affiliate rules prohibit attacks on organizations in Commonwealth of Independent States nations and former Soviet Union countries; however, this restriction is extremely common and is not necessarily indicative of location," Genevieve Stark, head of cybercrime, hacktivism, and information operations intelligence analysis for the Google Threat Intelligence Group, told The Register .
Leave them kids alone
DragonForce draws to a line at using its wares to attack hospitals that house “critical patients, children, and the elderly.”
A statement on its forums, depicted below, warns that DragonForce will “punish” anyone who uses its wares on such targets.
[8]
Dragonforce statement on inappropriate use of malware
Source: Sophos Counter Threat Unit - Click to enlarge
"That being said, the Russian-speaking actor DragonForce has advertised RaaS [ransomware-as-a-service] on the underground forum Ramp," she added. Ramp, aka the Russian Anonymous Market Place, is a polyglot underground forum thought to be run in Russia.
An alleged member of a rival ransomware crew, RansomHub, accused DragonForce of collaborating with Russia's FSB intelligence service, according to threat intelligence vendor Cyble's research team. That allegation intensified speculation about DragonForce’s home.
[9]
"It is not possible to determine definitively whether or not DragonForce is Russia-based," Sophos’s Mitchell said, noting that while the Ramp forums contain multilingual content, isn't limited to native Russian speakers.
"It is possible, therefore, that the operators of DragonForce are not based in Russia but have used the line about not targeting organizations in former Soviet states to suggest they are," he added.
[10]Marks & Spencer admits cybercrooks made off with customer info
[11]British govt agents step in as Harrods becomes third mega retailer under cyberattack
[12]Ransomware scum and other crims bilked victims out of a 'staggering' $16.6B last year, says FBI
[13]Six ransomware gangs behind over 50% of 2024 attacks
"Most ransomware groups explicitly demand that affiliates do not victimize organizations in Russia or Commonwealth of Independent States countries as doing so might well invite unwanted attention from Russian law enforcement,” he added. “In fact, some ransomware variants run checks on the OS or keyboard language to ensure it is not Russian before proceeding with encryption routines."
Wherever DragonForce lives, Mitchell thinks it "doesn't really pose any more of a threat than other ransomware operations" – although he also notes that the extensive support it offers to affiliates could “lower the technical bar to entry even further.”
On the flip side: "Such an operating model might also put a target on its back," he noted. "If it comes to dominate the ransomware-as-a-service landscape, it might attract unwanted attention from law enforcement in the way that [14]LockBit did before it." ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[2] https://www.secureworks.com/blog/ransomware-groups-evolve-affiliate-models
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[7] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[8] https://regmedia.co.uk/2025/05/14/supplied_dragonforce_statement.jpg
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[11] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[12] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[13] https://www.theregister.com/2024/08/13/lockbit_ransomware_stats/
[14] https://www.theregister.com/2024/07/31/five_months_after_lockbit/
[15] https://whitepapers.theregister.com/
The gang started operations in August 2023 but its ransomware didn't gain much traction until the following year, when DragonForce operators began advertising for affiliates on dark web forums. The gang has since claimed many victims and drawn the attention of the FBI, which [1]found it was one of 2024’s most prolific ransomware sources.
As of this month, DragonForce has listed 158 victims, and in March the crew [2]rebranded itself as a "cartel" that enables affiliates to create their own brands.
[3]
The resulting service allows other crooks to use DragonForce’s infrastructure and tools to deploy any ransomware – not just the gang’s own evil code.
[4]
[5]
"This is about DragonForce trying to attract as many affiliates as it can to its operation," Tim Mitchell, senior threat researcher at Sophos Counter Threat Unit, told The Register . "The more people it has deploying ransomware and stealing data, the more potential victims it has paying ransoms, so the higher the profits."
Infosec researchers believe DragonForce ransomware was used in the late-April attacks that claimed victims including retailers [6]Marks & Spencer , [7]Co-op, and Harrods .
Russian? Or not Russian?
DragonForce's rebrand announcement included a warning not to attack targets in the Commonwealth of Independent States, a ten-nation bloc centered on Russia and former Soviet republics. Researchers, however, can’t find evidence that the ransomware operators reside in Russia.
"The affiliate rules prohibit attacks on organizations in Commonwealth of Independent States nations and former Soviet Union countries; however, this restriction is extremely common and is not necessarily indicative of location," Genevieve Stark, head of cybercrime, hacktivism, and information operations intelligence analysis for the Google Threat Intelligence Group, told The Register .
Leave them kids alone
DragonForce draws to a line at using its wares to attack hospitals that house “critical patients, children, and the elderly.”
A statement on its forums, depicted below, warns that DragonForce will “punish” anyone who uses its wares on such targets.
[8]
Dragonforce statement on inappropriate use of malware
Source: Sophos Counter Threat Unit - Click to enlarge
"That being said, the Russian-speaking actor DragonForce has advertised RaaS [ransomware-as-a-service] on the underground forum Ramp," she added. Ramp, aka the Russian Anonymous Market Place, is a polyglot underground forum thought to be run in Russia.
An alleged member of a rival ransomware crew, RansomHub, accused DragonForce of collaborating with Russia's FSB intelligence service, according to threat intelligence vendor Cyble's research team. That allegation intensified speculation about DragonForce’s home.
[9]
"It is not possible to determine definitively whether or not DragonForce is Russia-based," Sophos’s Mitchell said, noting that while the Ramp forums contain multilingual content, isn't limited to native Russian speakers.
"It is possible, therefore, that the operators of DragonForce are not based in Russia but have used the line about not targeting organizations in former Soviet states to suggest they are," he added.
[10]Marks & Spencer admits cybercrooks made off with customer info
[11]British govt agents step in as Harrods becomes third mega retailer under cyberattack
[12]Ransomware scum and other crims bilked victims out of a 'staggering' $16.6B last year, says FBI
[13]Six ransomware gangs behind over 50% of 2024 attacks
"Most ransomware groups explicitly demand that affiliates do not victimize organizations in Russia or Commonwealth of Independent States countries as doing so might well invite unwanted attention from Russian law enforcement,” he added. “In fact, some ransomware variants run checks on the OS or keyboard language to ensure it is not Russian before proceeding with encryption routines."
Wherever DragonForce lives, Mitchell thinks it "doesn't really pose any more of a threat than other ransomware operations" – although he also notes that the extensive support it offers to affiliates could “lower the technical bar to entry even further.”
On the flip side: "Such an operating model might also put a target on its back," he noted. "If it comes to dominate the ransomware-as-a-service landscape, it might attract unwanted attention from law enforcement in the way that [14]LockBit did before it." ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[2] https://www.secureworks.com/blog/ransomware-groups-evolve-affiliate-models
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[7] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[8] https://regmedia.co.uk/2025/05/14/supplied_dragonforce_statement.jpg
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCW7QDV_RFd2ktglDe6xzAAAAoo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[11] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[12] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[13] https://www.theregister.com/2024/08/13/lockbit_ransomware_stats/
[14] https://www.theregister.com/2024/07/31/five_months_after_lockbit/
[15] https://whitepapers.theregister.com/
Re: And that's why you should NEVER pay a ransom...
S4qFBxkFFg
Not to mention you would literally be paying criminals that you know have done crime, and it's very likely they're operating in a heavily sanctioned country; it's not a risk-free choice, legally.
Re: And that's why you should NEVER pay a ransom...
Doctor Syntax
The best way to ensure that ransoms are not paid would be to make them illegal. It wouldn't be immediate complete prevention but would be more effective after the first prosecution of a board that did.
Couple that with offering big rewards for information leading to the identification and capture of those responsible. There are probably a few who, in return for immunity and cash, might contrive to inveigle or otherwise exfiltrate their associates to somewhere where there's extradition.
"off limits"
Pascal Monett
I'm sorry, you're already the bottom of the barrel. Pretending you have standards is not going to raise your status.
Re: "off limits"
Furious Reg reader John
No so much as having standards, more the worry that Russian Law Enforcement is more focused on the word Enforcement than the word Law when it comes to dealing with threats to Russian interests. Why put a bounty on your head by attacking Russian targets when there are so many easy targets in the west.
Re: "off limits"
Andy Non
Exactly, the slightest poke at the Russian bear may result in you accidentally falling out of a window.
S4qFBxkFFg
"...some ransomware variants run checks on the OS or keyboard language to ensure it is not Russian before proceeding with encryption routines."
I wonder if it looks at the language actually selected at the time, or merely enabled in the keyboard locale switcher (or whatever Windows uses these days). Having Russian as the "main" language, while actually using your own, might be a low-cost way of making yourself less likely to be targeted.
And that's why you should NEVER pay a ransom...
They already have your data... who's to say they'll actually delete it or give you the key to decrypt it after payment is made ?