Deep dive into DragonForce ransomware and its Scattered Spider connection

Recorded: Dec. 3, 2025, 4:02 p.m.

Original

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Fake Calendly invites spoof top brands to hijack ad manager accounts

University of Pennsylvania confirms new data breach after Oracle hack

Google fixes two Android zero days exploited in attacks, 107 flaws

Deep dive into DragonForce ransomware and its Scattered Spider connection

Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack

University of Phoenix discloses data breach after Oracle hack

Score 65% off a Microsoft Surface with impressive performance

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Sponsored by Acronis

December 3, 2025
10:05 AM
0

Security researchers have conducted an in-depth analysis of DragonForce ransomware that initially emerged in 2023 and has since evolved into what it calls a "ransomware cartel."
The most recent variant exploits susceptible drivers such as truesight.sys and rentdrv2.sys to deactivate security programs, shut down protected processes and fix encryption vulnerabilities that were earlier linked to Akira ransomware.
The updated encryption scheme addresses vulnerabilities that were openly documented in a Habr publication referenced on DragonForce's leak website.
DragonForce has intensified its operations against organizations worldwide, publishing details of more compromised entities than in the previous year.
The group's most prominent breach, involving retail company Marks & Spencer, was carried out in partnership with the cybercriminal collective Scattered Spider hacking group.
The emergence of DragonForce
DragonForce operates as a ransomware-as-a-service (RaaS) operation. The group reignited ransomware activities, and has been actively recruiting nefarious collaborators through underground cybercrime platforms.
At the start, the gang used the compromised LockBit 3.0 builder to create its encryption tools and later transitioned to a modified version of Conti v3 source code.

Transforming from ransomware group to “cartel”
Returning in 2025, DragonForce rebranded itself as a “ransomware cartel,” marking a sudden shift in operational strategy.
By offering affiliates 80% of profits, customizable encryptors and infrastructure, DragonForce lowers the barrier to entry for new and inexperienced cybercriminals.
The move encourages more affiliates to join the cartel and broaden its presence.

All-in-one integrated backup and cybersecurity platform for MSPs
Acronis Cyber Protect Cloud integrates data protection, cybersecurity, and endpoint management.
Easily scale cyber protection services from a single platform – while efficiently running your MSP business.
Free 30-day Trial

DragonForce and its Scattered Spider connection
DragonForce's partnership with Scattered Spider, a financially motivated threat actor known for sophisticated social engineering and initial access operations, has proven effective in enabling ransomware deployments across high-value targets.
Scattered Spider typically begins its intrusion by conducting reconnaissance on an organization’s staff to identify potential targets and develop convincing personas and pretexts.
The group collects details such as names, job titles, and other publicly available information using social media platforms and open-source intelligence tools. They then use advanced social engineering tactics to obtain or reset credentials and circumvent multifactor authentication through deceptive tactics such as MFA fatigue or SIM swapping.
Once access is gained, Scattered Spider signs in as the compromised user and registers its own device to maintain entry.
Following the initial breach, Scattered Spider establishes persistence by deploying remote monitoring and management (RMM) tools or tunneling services.
For example, these tools can include ScreenConnect, AnyDesk, TeamViewer and Splashtop. Once inside the network, Scattered Spider conducts thorough reconnaissance, targeting assets in SharePoint, credential repositories, backup servers and VPN configuration documentation.
In recent activity, Scattered Spider has leveraged AWS Systems Manager Inventory to identify additional systems for lateral movement. They utilize extract, transform and load (ETL) tools to compile gathered data into a central database, which is then exfiltrated to attacker-controlled MEGA or Amazon S3 storage services.
The operation concludes with the deployment of DragonForce ransomware, encrypting data across Windows, Linux and ESXi environments.
Better together ransomware
DragonForce represents a new, more organized and persistent threat, built on established ransomware frameworks but incrementally improved and distributed at scale.
Unlike groups that heavily customize their code, DragonForce focuses on cartel-style recruitment, affiliate operational flexibility and broad partnerships, making it a formidable and highly adaptable actor.
Coupled with Scattered Spider, cybercrime groups under cooperative models, rather than purely competitive ones, marks a shift that complicates defensive efforts for organizations worldwide.
Key takeaways
The DragonForce and Scattered Spider duo is a wakeup-call for "cartelization" cybercrime, where highly specialized threat actors combine their skills, in this case, Scattered Spider's elite social engineering and initial access skills and DragonForce's robust ransomware-as-a-service model, to execute devastating, high-profile attacks.
Their strategic alliance significantly elevates the threat landscape by creating a more efficient and adaptive criminal operation focused on breaching defenses by exploiting human error before leveraging sophisticated malware.
Looking ahead, IT security professionals must consider that defense requires addressing ransomware collaborative models head on.
Implement and strictly enforce phishing-resistant multifactor authentication (MFA) methods to neutralize Scattered Spider's primary initial access vectors, and focus on robust endpoint detection and response (EDR) solutions that alert the deployment of remote monitoring tools and the use of vulnerable drivers, which are the technical tell-tales of a handoff from an initial access broker to a ransomware affiliate.
Security teams need to anticipate that attacks are no longer single-entity threats, but coordinated, multistage intrusions using the best tools and techniques from an ecosystem of specialized cyber adversaries.
About TRU
The Acronis Threat Research Unit (TRU) is a team of cybersecurity experts specializing in threat intelligence, AI and risk management. The TRU team researches emerging threats, provides security insights and supports IT teams with guidelines, incident response and educational workshops.
See the latest TRU research
Sponsored and written by Acronis.

Acronis
Cybersecurity
DragonForce
Ransomware
Scattered Spider

Comments have been disabled for this article.

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Glassworm malware returns in third wave of malicious VS Code packages

Google deletes X post after getting caught using a ‘stolen’ AI recipe infographic

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Empowering IT teams with intelligence driven cyber threat research.

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

DragonForce ransomware, operating as a sophisticated “ransomware cartel,” has dramatically escalated its operations in 2025, significantly expanding its reach and impact through a strategic alliance with the cybercriminal collective, Scattered Spider. This report details the evolving tactics of DragonForce, highlighting its shift from a traditional ransomware group to a more organized, cartel-like structure, and the crucial role Scattered Spider plays in its success. The group’s methodology centers on delivering a robust Ransomware-as-a-Service (RaaS) model, lowering the barriers to entry for affiliates and expanding its operational capacity.

The operation began with DragonForce leveraging compromised LockBit 3.0 builder tools, later transitioning to a modified version of Conti v3 source code, establishing a foundation for its ransomware deployment. This shift toward a cartel model involved 80% profit sharing for affiliates, coupled with customizable encryptors and infrastructure, creating a highly adaptable operational model. Key to DragonForce’s ongoing success is its partnership with Scattered Spider, a threat actor renowned for its sophisticated social engineering and initial access operations.

Scattered Spider’s initial intrusion strategy relies heavily on reconnaissance, meticulously gathering data on potential targets through social media channels and open-source intelligence. This reconnaissance phase identifies employees, job titles, and other readily available information, enabling the group to construct highly persuasive and tailored social engineering campaigns. These campaigns focus on obtaining or resetting credentials—a critical step that often bypasses multi-factor authentication (MFA) due to the tactics of "MFA fatigue" or SIM swapping. Once inside, the compromised user logs in as the identified individual, registering their device to maintain persistent access.

Following initial access, Scattered Spider establishes persistence by deploying remote monitoring and management (RMM) tools—such as ScreenConnect, AnyDesk, TeamViewer, and Splashtop—allowing for continued control of the compromised system. This deployment is followed by intensive reconnaissance, targeting key assets within the network, including SharePoint environments, credential repositories, backup servers, and VPN configuration documentation. Recent activity demonstrates the group’s utilization of AWS Systems Manager Inventory to identify additional systems for lateral movement.

Critical to the operation is the group’s use of extract, transform, and load (ETL) tools to compile gathered data into a centralized database, facilitating efficient exfiltration. This data is then transmitted to attacker-controlled MEGA or Amazon S3 storage services, demonstrating a commitment to robust and secure data persistence. Ultimately, DragonForce ransomware is deployed across Windows, Linux, and ESXi environments, executing across a diverse range of systems.

The alliance between DragonForce and Scattered Spider represents a significant shift in the threat landscape, marked by a move toward collaborative cybercrime models. Security professionals must recognize this trend and proactively address the challenges it presents. This includes implementing and strictly enforcing phishing-resistant MFA methods to neutralize Scattered Spider’s primary initial access vectors. Furthermore, focusing on robust endpoint detection and response (EDR) solutions that can alert to the deployment of remote monitoring tools and the use of vulnerable drivers—technical tell-tale signs of a transition from an initial access broker to a ransomware affiliate—is vital. Organizations need to anticipate that attacks are becoming increasingly coordinated and complex, utilizing the best tools and techniques from an ecosystem of specialized cyber adversaries.

The ACORN Threat Research Unit (TRU) continuously monitors and researches emerging threats to provide security insights and guide IT teams. The TRU research team focuses on threat intelligence, AI and risk management. Their recent investigation strongly recommends a proactive defense strategy, prioritizing MFA, EDR, and vigilant monitoring of network activity to mitigate the evolving threat landscape posed by DragonForce and its strategic alliance with Scattered Spider.