EXECUTIVE SUMMARY:
The DragonForce ransomware operation reveals its transformation from a derivative of leaked Conti code into a ransomware-as-a-service (RaaS) cartel. DragonForce rebranded to expand its affiliate network by offering flexible profit-sharing and customizable encryptors. The group employs advanced evasion tactics, including Bring Your Own Vulnerable Driver (BYOVD) techniques using vulnerable kernel drivers to disable endpoint protection and terminate security processes. Its collaboration with Scattered Spider—an initial access broker skilled in phishing, MFA bypass, and SIM swapping—has significantly broadened its access to multiple industries such as retail, telecommunications, and insurance. The campaign reflects the increasing industrialization of cybercrime, where groups operate in structured partnerships that mimic corporate ecosystems. This evolution shows how ransomware collectives are moving beyond traditional models toward cartel-like organizations that combine social engineering, shared tooling, and joint monetization strategies within a growing underground alliance of cybercriminals.
The DragonForce ransomware exhibits a technically advanced structure derived from legacy Conti and LockBit Green builders, modified using MinGW to support broader deployment. Its codebase preserves key functionalities such as InitializeApiModule and DisableHooks to establish a secure execution framework before initiating encryption. The configuration, protected with ChaCha20 encryption, allows affiliates to customize numerous operational parameters, including file types to encrypt, processes to exclude, and system behaviors to modify. The modular design gives attackers the flexibility to adapt payloads for specific campaigns and victims. Scattered Spider’s role within this ecosystem focuses on the initial access phase—leveraging phishing, vishing, and credential theft to penetrate target environments, often using legitimate remote administration tools like AnyDesk, ScreenConnect, or TeamViewer for persistence. After achieving lateral movement and exfiltrating sensitive data via cloud storage services, the actors deploy DragonForce’s encryptor to complete the extortion cycle.
The partnership between DragonForce and Scattered Spider represents a major step forward in the evolution of organized cybercrime. By combining advanced ransomware engineering with effective social engineering and infiltration methods, the alliance demonstrates how threat actors are integrating technical and human-driven tactics to maximize their reach. DragonForce’s reliance on repurposed Conti components, BYOVD attacks, and modular architectures underscores the persistence of recycled but enhanced malware frameworks within the cybercriminal ecosystem. The campaign’s extensive victim base across critical sectors indicates both operational maturity and scalable attack capability. Furthermore, the emergence of ransomware cartels with affiliate structures and shared infrastructure signifies a broader transformation of cybercrime into an enterprise-like ecosystem. Defending against such threats requires organizations to strengthen identity protection, enforce zero-trust principles, and maintain proactive threat intelligence. The DragonForce campaign ultimately illustrates how collaboration among specialized threat groups continues to drive innovation, efficiency, and impact in the ransomware landscape.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1136.001 | Create Account | Local Account |
| T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys . Startup Folder | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1046 | Network Service Discovery | — |
| Lateral Movement | T1021.002 | Remote Services | SMB . Windows Admin Shares |
| T1021 | — | ||
| Collection | T1005 | Data from Local System | — |
| Exfiltration | T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details: