Deep dive into DragonForce ransomware and its Scattered Spider connection

Recorded: Dec. 3, 2025, 4:02 p.m.

Original

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Fake Calendly invites spoof top brands to hijack ad manager accounts

University of Pennsylvania confirms new data breach after Oracle hack

Google fixes two Android zero days exploited in attacks, 107 flaws

Deep dive into DragonForce ransomware and its Scattered Spider connection

Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack

University of Phoenix discloses data breach after Oracle hack

Score 65% off a Microsoft Surface with impressive performance

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Sponsored by Acronis

December 3, 2025
10:05 AM
0

Security researchers have conducted an in-depth analysis of DragonForce ransomware that initially emerged in 2023 and has since evolved into what it calls a "ransomware cartel."
The most recent variant exploits susceptible drivers such as truesight.sys and rentdrv2.sys to deactivate security programs, shut down protected processes and fix encryption vulnerabilities that were earlier linked to Akira ransomware.
The updated encryption scheme addresses vulnerabilities that were openly documented in a Habr publication referenced on DragonForce's leak website.
DragonForce has intensified its operations against organizations worldwide, publishing details of more compromised entities than in the previous year.
The group's most prominent breach, involving retail company Marks & Spencer, was carried out in partnership with the cybercriminal collective Scattered Spider hacking group.
The emergence of DragonForce
DragonForce operates as a ransomware-as-a-service (RaaS) operation. The group reignited ransomware activities, and has been actively recruiting nefarious collaborators through underground cybercrime platforms.
At the start, the gang used the compromised LockBit 3.0 builder to create its encryption tools and later transitioned to a modified version of Conti v3 source code.

Transforming from ransomware group to “cartel”
Returning in 2025, DragonForce rebranded itself as a “ransomware cartel,” marking a sudden shift in operational strategy.
By offering affiliates 80% of profits, customizable encryptors and infrastructure, DragonForce lowers the barrier to entry for new and inexperienced cybercriminals.
The move encourages more affiliates to join the cartel and broaden its presence.

All-in-one integrated backup and cybersecurity platform for MSPs
Acronis Cyber Protect Cloud integrates data protection, cybersecurity, and endpoint management.
Easily scale cyber protection services from a single platform – while efficiently running your MSP business.
Free 30-day Trial

DragonForce and its Scattered Spider connection
DragonForce's partnership with Scattered Spider, a financially motivated threat actor known for sophisticated social engineering and initial access operations, has proven effective in enabling ransomware deployments across high-value targets.
Scattered Spider typically begins its intrusion by conducting reconnaissance on an organization’s staff to identify potential targets and develop convincing personas and pretexts.
The group collects details such as names, job titles, and other publicly available information using social media platforms and open-source intelligence tools. They then use advanced social engineering tactics to obtain or reset credentials and circumvent multifactor authentication through deceptive tactics such as MFA fatigue or SIM swapping.
Once access is gained, Scattered Spider signs in as the compromised user and registers its own device to maintain entry.
Following the initial breach, Scattered Spider establishes persistence by deploying remote monitoring and management (RMM) tools or tunneling services.
For example, these tools can include ScreenConnect, AnyDesk, TeamViewer and Splashtop. Once inside the network, Scattered Spider conducts thorough reconnaissance, targeting assets in SharePoint, credential repositories, backup servers and VPN configuration documentation.
In recent activity, Scattered Spider has leveraged AWS Systems Manager Inventory to identify additional systems for lateral movement. They utilize extract, transform and load (ETL) tools to compile gathered data into a central database, which is then exfiltrated to attacker-controlled MEGA or Amazon S3 storage services.
The operation concludes with the deployment of DragonForce ransomware, encrypting data across Windows, Linux and ESXi environments.
Better together ransomware
DragonForce represents a new, more organized and persistent threat, built on established ransomware frameworks but incrementally improved and distributed at scale.
Unlike groups that heavily customize their code, DragonForce focuses on cartel-style recruitment, affiliate operational flexibility and broad partnerships, making it a formidable and highly adaptable actor.
Coupled with Scattered Spider, cybercrime groups under cooperative models, rather than purely competitive ones, marks a shift that complicates defensive efforts for organizations worldwide.
Key takeaways
The DragonForce and Scattered Spider duo is a wakeup-call for "cartelization" cybercrime, where highly specialized threat actors combine their skills, in this case, Scattered Spider's elite social engineering and initial access skills and DragonForce's robust ransomware-as-a-service model, to execute devastating, high-profile attacks.
Their strategic alliance significantly elevates the threat landscape by creating a more efficient and adaptive criminal operation focused on breaching defenses by exploiting human error before leveraging sophisticated malware.
Looking ahead, IT security professionals must consider that defense requires addressing ransomware collaborative models head on.
Implement and strictly enforce phishing-resistant multifactor authentication (MFA) methods to neutralize Scattered Spider's primary initial access vectors, and focus on robust endpoint detection and response (EDR) solutions that alert the deployment of remote monitoring tools and the use of vulnerable drivers, which are the technical tell-tales of a handoff from an initial access broker to a ransomware affiliate.
Security teams need to anticipate that attacks are no longer single-entity threats, but coordinated, multistage intrusions using the best tools and techniques from an ecosystem of specialized cyber adversaries.
About TRU
The Acronis Threat Research Unit (TRU) is a team of cybersecurity experts specializing in threat intelligence, AI and risk management. The TRU team researches emerging threats, provides security insights and supports IT teams with guidelines, incident response and educational workshops.
See the latest TRU research
Sponsored and written by Acronis.

Acronis
Cybersecurity
DragonForce
Ransomware
Scattered Spider

Comments have been disabled for this article.

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Glassworm malware returns in third wave of malicious VS Code packages

Google deletes X post after getting caught using a ‘stolen’ AI recipe infographic

Sponsor Posts

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Empowering IT teams with intelligence driven cyber threat research.

AI is a data-breach time bomb: Read the new report

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

DragonForce ransomware, operating as a sophisticated “ransomware cartel,” has emerged as a significant threat in 2025, significantly amplified by its partnership with the cybercriminal group Scattered Spider. This analysis details the evolution of DragonForce, its operational structure, and the intertwined nature of its activity with Scattered Spider.

Initially, DragonForce was built upon a LockBit 3.0 builder and later modified Conti v3 code, transitioning into a ransomware-as-a-service (RaaS) model. A key shift occurred with the rebranding as a “cartel,” lowering the entry barrier for affiliates by offering 80% of profits, customized encryptors, and infrastructure. This strategy fostered a broader, more adaptable network of malicious actors.

The core of DragonForce’s effectiveness lies in its collaboration with Scattered Spider. Scattered Spider specializes in meticulously gathering reconnaissance data on target organizations. They exploit publicly available information, social media profiles, and job titles to construct convincing personas and pretexts for social engineering attacks. This enables them to bypass multi-factor authentication (MFA) through tactics like MFA fatigue or SIM swapping, leveraging human vulnerabilities alongside technical weaknesses.

Following successful initial access, Scattered Spider establishes persistence by deploying remote monitoring and management (RMM) tools such as ScreenConnect, AnyDesk, TeamViewer, and Splashtop, effectively acting as a conduit for DragonForce’s deployment. Their methodology involves a comprehensive reconnaissance phase, focusing on assets including SharePoint, credential repositories, backup servers, and VPN configuration documentation.

This reconnaissance is then meticulously compiled and exfiltrated, typically utilizing ETL tools to assemble a central database and then transferring it via secure channels – in this case, leveraging AWS Systems Manager Inventory to identify additional systems and subsequently utilizing extract, transform and load (ETL) tools. Crucially, Scattered Spider utilizes services like MEGA and Amazon S3.

The execution phase involves deploying DragonForce ransomware across Windows, Linux, and ESXi environments. The cartel’s strategic advantage emerges from this combined operational model.

The rise of DragonForce underscores a new paradigm in cybercrime: cartelized cybercrime. This model, exemplified by the pairing of DragonForce and Scattered Spider, represents a significant escalation in threat complexity. It blends specialized technical expertise—DragonForce’s RaaS infrastructure—with the social engineering prowess of Scattered Spider, creating a highly efficient and adaptive criminal operation. The reliance on established ransomware frameworks and incremental improvements, coupled with the cartel’s operational flexibility, makes DragonForce a formidable adversary.

Key Takeaways and Recommendations:

* **Address Cartelized Models:** Organizations must recognize and prepare for attacks orchestrated by collaborative groups like DragonForce and Scattered Spider.
* **Robust MFA Implementation:** Strict enforcement and implementation of phishing-resistant MFA methods are paramount for neutralizing Scattered Spider's initial access vectors, which heavily rely on social engineering.
* **Endpoint Detection and Response (EDR):** IT security teams must prioritize the deployment of EDR solutions capable of detecting and alerting on the use of vulnerable drivers, which often signal a handover of control from an initial access broker like Scattered Spider to a ransomware affiliate.
* **Anticipate Multi-Stage Attacks:** Organizations must recognize that attacks are no longer single-entity threats; instead, they're coordinated, multistage intrusions leveraging the best techniques and tools from a network of specialized cyber adversaries.

The TRU (Threat Research Unit) at Acronis highlights the importance of proactive threat intelligence and risk management in combating sophisticated actors like DragonForce and Scattered Spider. Focusing on advanced detection methods and understanding the dynamics of cartelized cybercrime is crucial for mitigating future attacks.