DragonForce campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
DragonForce and Scattered Spider are driving a multistage ransomware campaign that pairs social engineering with follow-on encryption to hit high-value targets worldwide. The operation matters because it combines initial access tradecraft with a ransomware handoff, making intrusions harder to stop before deployment. In 2025, DragonForce also shifted into a ransomware cartel model that broadens affiliate participation and operational scale.
Related Happenings
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor Meta
First: 20.03.2026 18:31
Last: 20.03.2026 18:31
Sources 1
About this happening:
An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor MetaAbout this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
Timeline
-
03.12.2025 17:05 3 articles · 5mo ago
DragonForce expands cartel-style ransomware operations
Campaign Scope UpdateDragonForce expanded its ransomware operation in 2025 by presenting itself as a "ransomware cartel," offering affiliates 80% of profits, customizable encryptors and infrastructure, and pairing with Scattered Spider for high-value intrusions such as Marks & Spencer. The operation draws on earlier LockBit 3.0 builder code and modified Conti v3 source code, abuses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security tools and protected processes, and deploys DragonForce ransomware across Windows, Linux and ESXi environments after exfiltration to MEGA or Amazon S3.
Show sources
- Deep dive into DragonForce ransomware and its Scattered Spider connection — www.bleepingcomputer.com — 03.12.2025 17:05
- Deep dive into DragonForce ransomware and its Scattered Spider connection — www.bleepingcomputer.com — 03.12.2025 17:05
- A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces — thehackernews.com — 04.11.2025 19:25