Analysts have mapped DragonForce’s progression from a 2023 ransomware operation into a collaborative criminal network with strong links to Scattered Spider.
Researchers cited by Bleeping Computer found that the most recent DragonForce variant uses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security tools and shut down protected processes. The update also corrects weaknesses previously attributed to Akira ransomware and aligns with changes described in technical writeups that DragonForce itself referenced on its leak site. Activity in 2025 shows an increase in published victims, including a joint intrusion with Scattered Spider against retailer Marks and Spencer.
DragonForce operates as a ransomware-as-a-service program that originally relied on repurposed LockBit 3.0 builders before shifting to modified Conti v3 code. The group reactivated in 2025 and began marketing its operation as a cartel, offering a share of extortion proceeds to affiliates. This incentive model has attracted less experienced actors who rely on prebuilt infrastructure rather than developing their own encryption tools. Analysts have noted that DragonForce’s model focuses on scale, distribution, and operational reach more than code innovation. The group now provides affiliates with adjustable encryptors, hosting services, and support materials that reduce entry barriers for new participants.
Security researchers who examined the malware described a clear separation between DragonForce’s core developers and its affiliates. They reported that the cartel promotes faster onboarding, flexible deployment options, and a familiar command structure that appeals to initial access brokers. Industry analysis also noted that Scattered Spider’s involvement explains the precision seen in several recent intrusions. Investigators have reported repeated use of remote monitoring tools, credential harvesting techniques, and cloud inventory features such as AWS Systems Manager to support reconnaissance and lateral movement. These observations have been reflected in recent threat reports from incident response firms.
Recent reporting from the American Hospital Association shows how far ransomware has drifted from traditional cybercrime. The group said that attacks on hospitals are no longer just about money but “represent a threat to life that endangers public health.” Their assessment is blunt: “The defenses and strategies to protect against these threats, and the enforcement actions taken to punish the attackers, need to change too.” According to the AHA, truly disrupting groups like DragonForce and Scattered Spider will require a broader federal response, noting that “leveraging the entire law enforcement, intelligence and military capabilities of the U.S. government is necessary to achieve swift and certain consequences.” They warned that this may be “the only way to effectively deter and disrupt these foreign adversaries that threaten our hospitals and communities.”
Scattered Spider specialises in credential theft and initial access methods, which gives DragonForce a steady pipeline of compromised accounts and validated entry points.
The group often uses targeted social engineering, MFA manipulation, SIM swapping, and impersonation of support teams to obtain or reset credentials.
Affiliates receive a large share of extortion proceeds, rely on tools that require minimal configuration, and gain access to infrastructure that supports rapid deployment.
Investigators have reported use of remote monitoring software such as ScreenConnect, TeamViewer, and AnyDesk, along with tunneling utilities and data collection tools.