DragonForce Ransomware Siege on UK Retail in 2025: Malware Analysis

It's Origins and Evolution...

From Hacktivism to Financial Extortion

DragonForce first surfaced in August 2023 as a pro-Palestinian hacktivist group, allegedly based in Malaysia, targeting entities aligned with geopolitical causes it opposed. Early attacks, such as those on the Ohio State Lottery (stealing over 600GB of data) and Coca-Cola Singapore, showcased its initial ideological bent. However, by late 2023, the group pivoted toward profit-driven ransomware operations, leveraging leaked LockBit 3.0 and Conti v3 code to build its malware. This shift was cemented in June 2024 with the launch of a full affiliate program, transforming DragonForce into a RaaS platform. By March 2025, it rebranded as a "cartel," offering white-label branding and a 20% revenue share, attracting affiliates amidst the collapse of rivals like RansomHub.

The group’s evolution coincided with a turbulent ransomware landscape. The dismantling of LockBit and ALPHV in 2024 created a vacuum, which DragonForce exploited by absorbing affiliates from defunct groups like RansomHub and BlackLock. Its claim to avoid targeting Commonwealth of Independent States (CIS) nations, including Russia, raises questions about its base—some speculate a Russian link due to forum activity, though evidence remains inconclusive. This strategic ambiguity, combined with its aggressive marketing on dark web forums like RAMP, has fueled its rapid rise.

The UK Retail Campaign

The siege began in late April 2025, with M&S hit first on April 22, followed by Co-op and Harrods within two weeks. DragonForce affiliates, potentially linked to the Scattered Spider group, leveraged social engineering and supply chain vulnerabilities to infiltrate these retailers. The attacks disrupted online sales, payment systems, and inventory management, exposing the sector’s reliance on digital infrastructure. The group’s double-extortion tactics_data theft followed by encryption Amplified the pressure, then threatens to leak customer data on its "RansomBay" leak site.

How DragonForce Works: Infection Chain and Mechanisms

DragonForce operates as a multi-platform RaaS threat, targeting Windows, Linux, ESXi, and NAS systems. Its infection chain and technical operations reflect a blend of inherited code and innovative adaptations.

1. Initial Infection Vectors

• Phishing and Social Engineering: Affiliates use tailored phishing emails, often impersonating IT support, to deliver malicious attachments or links. Scattered Spider’s tactics, including vishing and MFA bypass, were likely employed to gain initial access.

• Supply Chain Exploitation: The May 2025 attack on an MSP via SimpleHelp RMM vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) allowed DragonForce to target multiple endpoints, including retail customers.

• Exploited Vulnerabilities: The group leverages known flaws, such as Log4Shell (CVE-2021-44228), to penetrate unpatched systems, a tactic noted in its broader campaign.

2. Delivery and Execution

• Initial Payload: A customizable binary, built from LockBit and Conti code, is delivered via phishing or RMM tools. Affiliates can adjust filenames, extensions, and execution delays.

• Second-Stage Deployment: The payload injects into processes like powershell.exe, using Living Off the Land (LOTL) techniques (e.g., WMI, PowerShell) to evade detection. ESXi hosts are targeted with "vmsvc" commands.

• Encryption: Variants employ AES-256, RSA, and ChaCha8 algorithms, encrypting files and appending unique extensions. Shadow copies are deleted using vssadmin or wmic.

3. Command-and-Control (C2) and Data Exfiltration

• C2 Communication: Affiliates manage campaigns via a DragonForce panel, using encrypted HTTP POST requests or cloud services like MEGA. WebDAV and SFTP transfers exfiltrate data.

• Data Theft: Tools like Mimikatz, Advanced IP Scanner, and PingCastle harvest credentials and map networks. Exfiltrated data—up to 6TB in a February 2025 Middle Eastern case—is compressed and uploaded.

• Leak Site Pressure: The "RansomBay" site hosts stolen data, with recordings of victim calls adding psychological leverage.

4. Persistence and Evasion

• LOTL Tactics: Legitimate tools (e.g., TeamViewer, Cobalt Strike) maintain access, while registry modifications ensure subtle persistence.

• Anti-Forensic Measures: File deletion (e.g., "del," "rm") and security tool disablement (e.g., antivirus tampering) obscure tracks.

• White-Label Flexibility: Affiliates can rebrand payloads, complicating attribution and detection.

It's Statistical Impact and Trends...

Infection Statistics

• Victim Count: DragonForce claimed 158 victims by May 2025, with 40+ in Q1 2025 alone, per Check Point data. UK retail attacks added three high-profile cases.

• Financial Impact: M&S losses are estimated at £3.8 million daily, with total retail losses potentially exceeding £60 million. Co-op’s breach affected 20 million members’ data.

• Sector Targeting: Retail accounted for 11% of data leak site victims in 2025, up from 8.5% in 2024, reflecting DragonForce’s focus.

Trends in 2025

• RaaS Fragmentation: The 126% year-over-year increase in ransomware victims (2,289 in Q1 2025) highlights a competitive landscape, with DragonForce absorbing affiliates post-RansomHub’s April 2025 collapse.

• Double Extortion Rise: Data theft without encryption, seen in Co-op’s early containment, aligns with trends from groups like Hunters International.

• Supply Chain Attacks: The MSP breach via SimpleHelp marks a new escalation, exploiting trusted RMM tools.

• Retail Vulnerability: A 22% year-over-year increase in consumer goods sector attacks underscores retail’s digital dependency.

Operational Disruption

• M&S: Five-day online sales suspension, empty shelves, and a £500 million market value drop.

• Co-op: 200 of 2,300 stores faced contactless payment issues; data breach impacted member trust.

• Harrods: Swift containment limited disruption, but internet access restrictions highlighted proactive response.

Let's go further In-Depth...

Technical Sophistication

DragonForce’s malware inherits robustness from LockBit and Conti, enhanced by customizations like ChaCha8 encryption and ESXi targeting. Its white-label model allows affiliates to tailor payloads, using Bring Your Own Vulnerable Driver (BOYVD) to disable security. The use of AI-assisted malware development, as noted in 2025 trends, may lower technical barriers, while LOTL tactics blend malicious and legitimate activity, evading traditional signatures.

It's Role in the Ransomware Ecosystem

As a cartel, DragonForce redefines RaaS by offering infrastructure (leak sites, negotiation tools) and flexibility (80/20 affiliate splits). Its takeover of RansomHub’s tools and defacement of BlackLock’s site signal a power grab, positioning it as a successor to LockBit. The UK retail siege, possibly aided by Scattered Spider, showcases a hybrid model blending ideological roots with financial motives, targeting high-visibility brands for media leverage.

Comparison to Other Malware

Unlike Cl0p’s vulnerability exploitation focus, DragonForce emphasizes affiliate recruitment and supply chain attacks. Its 20% cut is lower than LockBit’s 30%, attracting affiliates, while its global reach (e.g., Palau, Singapore) outpaces regional players like BianLian. The MSP vector sets it apart from traditional entry methods.

Attribution and Motives

Linked to Malaysia’s DragonForce hacktivists, its CIS exclusion suggests a possible Russian influence, though evidence is speculative. Financial gain drives the 2025 campaign, with data leaks and ransom demands (e.g., Co-op’s extortion attempt) aiming to maximize profit. Ideological traces remain, but the retail focus prioritizes economic disruption.

It's Evasion and Anti-Analysis Techniques...

• Obfuscation: Customizable payloads and encrypted C2 traffic hinder analysis.

• LOTL: Use of native tools like PowerShell and TeamViewer avoids detection.

• Anti-Forensic: File deletion and security disablement erase evidence.

• Supply Chain Exploitation: MSP breaches amplify reach, bypassing perimeter defenses.

Mitigation Strategies

Technical Defenses

• Patch Management: Address SimpleHelp CVEs and Log4Shell promptly.

• Endpoint Detection: Deploy EDR with behavioral analysis for LOTL activity.

• Network Monitoring: Track abnormal WebDAV/SFTP traffic and C2 domains.

• Access Controls: Enforce MFA and restrict RMM tool permissions.

User Education

• Phishing Training: Educate staff on vishing and phishing red flags.

• Credential Hygiene: Promote unique, complex passwords.

Proactive Measures

• Threat Intelligence: Monitor RansomBay and affiliate forums for IoCs.

• Incident Drills: Conduct tabletop exercises for ransomware response.

Incident Response

• Isolation: Disconnect affected systems and reset credentials.

• Data Recovery: Use offline backups to restore operations.

• Forensics: Analyze logs for Mimikatz or Cobalt Strike traces.

The DragonForce ransomware siege on UK retail in 2025 marks a pivotal moment in the cybercrime evolution, blending hacktivist origins with a profit-driven RaaS cartel model. With significant financial losses (£60 million+), operational chaos, and a 11% rise in retail data leak site victims, its impact is profound. The group’s use of supply chain vulnerabilities, double extortion, and affiliate flexibility challenges traditional defenses, while its ambiguous origins fuel speculation. As of June 29, 2025, organizations must adopt proactive, layered security measures to counter this threat. Stay Vigilant!.