How to tame your DragonForce

Even if you’ve been hiding under a stone for the past few weeks, you’ll still be aware of the ongoing DragonForce ransomware and extortion campaign against (so far) UK retailers.

 

In recent days, DragonForce told the BBC “We have put the UK retail sector on a blacklist, we’re going to keep hacking them” …

 

Let’s look at what we know so far – who these attackers are, what actions they’ve taken, and how they’ve executed their attacks. Plus, we’ll cover how ZORB can help you tame the dragon.

 

Who are DragonForce?

DragonForce first emerged as a ransomware operator in late 2023. They are reported to originate in Malaysia. Their ransomware has been created from leaked source code of prior ransomware, including LockBit 3.0 and Conti.

 

In March 2025, DragonForce changed its business model towards becoming a “ransomware cartel”, allowing affiliates to distribute the DragonForce encryptor under their own affiliate branding and malware strain. Whilst their current active targets appear to be the UK retail industry, many industries have fallen victim to their attacks – including Aerospace and Defence, Automotive, Banking Finance and Insurance, Energy and Utilities, Pharma, Government, and so on. Not just in the UK, but globally.

 

The group is purely financially motivated. A DragonForce representative recently told the press they are “here for business and money.”  DragonForce advertises stolen data on its leak site. If the ransom is not met, the data is published. One article I researched stated that DragonForce leaked over 6 TB of data from a Middle Eastern victim when the ransom demand wasn’t met back in February 2025.

 

 

What has DragonForce done (so far) and how have impacted businesses responded?

Marks & Spencer was first to be linked to a DragonForce attack by security researchers, with the DragonForce ransomware encryptor found on M&S’s network. Also linked to this attack are known DragonForce-affiliates Scattered Spider – who have a reputation for strong social engineering tactics. The attack has hit M&S hard, disrupting online orders, contactless payments, and impacting Click & Collect service. M&S warehouse operations were stopped and staff were told to stay home while containment efforts were underway. The attack has disrupted M&S food supply chain with empty shelves in many stores.

 

Co-op reported a breach shortly after. Co-op has now confirmed that significant amounts of customer data were stolen. Whilst Co-op has yet to publicly confirm this was a ransomware attack, experts have noted similar patterns in the attack. To Co-op’s advantage, they were able to swiftly contain the attack in the early stages. They isolated key systems and restricted VPN access to prevent the malware from successfully deploying, even though data has been confirmed stolen.

 

Harrods publicly revealed an attempted intrusion attack a few days later. The similarity in attack methods, and timing, strongly suggests a common attacker, although as I write, this has not been officially linked to DragonForce. The attack has had less impact upon Harrods, as their IT security team managed to restrict Internet access on the day of the breach attempt. Fortunately, this meant their online and physical stores remained operational.

 

 

Anatomy of the attack

Although the (Scattered Spider’s) phishing techniques and DragonForce’s encryptor were both strong and sophisticated, the actual attack process involves nothing we haven’t seen before.

 

Using a variety of different sources, I’ve pulled together some of the Tactics, Techniques, and Procedures (TTPs) that we know are being used by DragonForce affiliates.

 

1) Gaining Entry

Social Engineering & Phishing – phishing emails and phone-based social engineering attacks with attackers masquerading as IT helpdesks to obtain credentials.

Valid Accounts – the group uses credentials obtained above to access legitimate user and system accounts.

Credentials – once onto a device, they use tools like Mimikatz to steal login secrets from Window’s LSASS process.

 

2) Malware Drop

User Execution of Malware – users are being engineered to drop malware via hidden macros in PDFs. Once a presence on a device has been established, heavier artillery is pulled from the Internet such as Cobalt Strike and the encryptor itself.

PowerShell Scripts – Windows PowerShell is used to execute payloads and to schedule and automate malicious scripts at startup.

 

3) Maintaining a Persistent Presence

Disabling Security Tools – anti-rootkit drivers are being used to kill device anti-virus/EDR and to create or modify Windows Registry Run keys to ensure the malware, or a backdoor, initiates on device boot.

 

4) Discovery

Active Directory – the group relies heavily on AD enumeration to understand the business domain structure to pinpoint high-value targets.

Port scanning – the group also uses network scanner tools to enumerate open ports and shared folders.

Manual Discovery – it has even been reported that affiliates will spend several days manually searching file shares for customer data, financial records, and databases.

 

5) Lateral Movement

Protocols – RDP is used for movement across networks, with SMB  used to traverse to remote machines to drop and execute binaries.

 

6) Data Exfiltration

Tools – Once established, DragonForce attackers are installing agents to communicate with their command-and-control (C2) servers. It has been reported that they often use Cobalt Strike Beacon, which is a sophisticated post-exploitation agent that allows them to maintain real-time control within the network.

 

 

How can ZORB help you tame the DragonForce?

ZORB specialises in preventing data exfiltration. The DragonForce group is known to use C2 channels and file transfer tools to exfiltrate data to cloud services. It has been documented that the group also uses command-line tools like rclone and wget to transfer data to servers.

 

As the DragonForce attack shows, today ransomware is more likely to steal data, as opposed to simply encrypting data locally on a machine. Whilst C2s and FTP are important elements in the attack, they have a weakness – communication can be detected and stopped.

 

ZORB operates by whitelisting trusted applications. Only trusted applications are allowed to transmit data out of a device. Furthermore, outbound data destinations should correlate with the originating application.

 

Many of the tools mentioned above for enumeration, presence, lateral transfer, and data exfiltration are executable (“.exe”) files. In many cases, the ransomware encryptor itself is a .exe. As is Mimikatz, FTP and similar tools, RDP tools, and C2 agents. This has several implications for an attack like DragonForce. Unless these tools are whitelisted as trusted applications on an individual user, departmental, or team level – even if they get installed by an attacker, ZORB will prevent these tools from transmitting data outside of the device itself.

 

ZORB’s whitelisting works on a “deny-all and permit-any known trusted data”. This is difficult to achieve with traditional outbound protection devices. Such as rule-based EDR or firewalls. To achieve “deny-all and permit-any known trusted data” would require 1000s upon 1000s of rules for trusted endpoints. Conversely, “permit-any and deny-all malicious exfiltration” requires knowledge of all existing malicious endpoints.

 

Some users may require FTP or RDP. In which case, ZORB will query the traffic destination to confirm the legitimacy of the data transfer. For example, if a user is trusted to FTP to certain known servers or services, ZORB will prevent the transfer of data to any unknown or untrusted cloud services.

 

The impact upon M&S and Co-op can be simplified as two-fold – a) data was stolen, impacting customer confidence and b) systems were disabled to contain the attack, impacting productivity.

 

ZORB software prevents data theft without the need for human intervention. Once installed and applications whitelisted, our software runs on autopilot to proactively prevent exfiltration attempts. Thus, ensuring business continuity during an attack, in the knowledge that key systems do not need to be shut down to prevent the risk of data theft.

 

Finally, EDR and SIEM can be configured to monitor for the documented attack behaviour of the groups – such as the sudden creation of multiple schtasks.exe jobs, or processes launching wmic.exe or browser executables. EDR and SIEM are being bypassed by DragonForce. ZORB acts as a belt and braces response to back up other protection tools, should these fail.

 

 

Conclusion

I mentioned above that, whilst the attacks are sophisticated, the techniques are not particularly novel. Existing tools, used alongside NCSCs recommended actions below, should help towards mitigating techniques 1 to 5:

 

• Enforce Multi-Factor Authentication (MFA): Ensure comprehensive deployment of 2-step verification across all accounts.
• Monitor for Suspicious Activity: Use tools like Microsoft Entra ID Protection to detect risky sign-ins or compromised credentials, especially those flagged under Microsoft Entra Threat Intelligence.
• Protect Privileged Accounts: Pay close attention to Domain Admin, Enterprise Admin, and Cloud Admin accounts, and regularly verify the legitimacy of access.
• Secure Helpdesk Processes: Review how helpdesks verify user identities before resetting passwords – especially for privileged users.
• Track Unusual Logins: Make sure your security operations can detect logins from unexpected sources, such as VPNs using residential IP ranges, through source enrichment and threat intelligence.
• Act on Threat Intelligence: Be ready to rapidly apply threat intelligence on attacker TTPs and respond accordingly.

 

However, the only way to tame the Dragon is to prevent data from being exfiltrated in the first place.

 

For more information about preventing data theft, contact me at mark@zorbsecurity.com.