DragonForce, a new-ish ransomware-as-a-service operation, has given organizations another cyber threat to worry about — unless they’re in Russia, which is off limits to the would-be extortionists.

The gang started operations in August 2023 but its ransomware didn’t gain much traction until the following year, when DragonForce operators began advertising for affiliates on dark web forums. The gang has since claimed many victims and drawn the attention of the FBI, which found it was one of 2024’s most prolific ransomware sources.

As of this month, DragonForce has listed 158 victims, and in March the crew rebranded itself as a “cartel” that enables affiliates to create their own brands.

The resulting service allows other crooks to use DragonForce’s infrastructure and tools to deploy any ransomware – not just the gang’s own evil code.

“This is about DragonForce trying to attract as many affiliates as it can to its operation,” Tim Mitchell, senior threat researcher at Sophos Counter Threat Unit, told The Register. “The more people it has deploying ransomware and stealing data, the more potential victims it has paying ransoms, so the higher the profits.”

Infosec researchers believe DragonForce ransomware was used in the late-April attacks that claimed victims including retailers Marks & Spencer, Co-op, and Harrods.

Russian? Or not Russian?

DragonForce’s rebrand announcement included a warning not to attack targets in the Commonwealth of Independent States, a ten-nation bloc centered on Russia and former Soviet republics. Researchers, however, can’t find evidence that the ransomware operators reside in Russia.

“The affiliate rules prohibit attacks on organizations in Commonwealth of Independent States nations and former Soviet Union countries; however, this restriction is extremely common and is not necessarily indicative of location,” Genevieve Stark, head of cybercrime, hacktivism, and information operations intelligence analysis for the Google Threat Intelligence Group, told The Register.

“That being said, the Russian-speaking actor DragonForce has advertised RaaS [ransomware-as-a-service] on the underground forum Ramp,” she added. Ramp, aka the Russian Anonymous Market Place, is a polyglot underground forum thought to be run in Russia.

An alleged member of a rival ransomware crew, RansomHub, accused DragonForce of collaborating with Russia’s FSB intelligence service, according to threat intelligence vendor Cyble’s research team. That allegation intensified speculation about DragonForce’s home.

“It is not possible to determine definitively whether or not DragonForce is Russia-based,” Sophos’s Mitchell said, noting that while the Ramp forums contain multilingual content, isn’t limited to native Russian speakers.

“It is possible, therefore, that the operators of DragonForce are not based in Russia but have used the line about not targeting organizations in former Soviet states to suggest they are,” he added.

“Most ransomware groups explicitly demand that affiliates do not victimize organizations in Russia or Commonwealth of Independent States countries as doing so might well invite unwanted attention from Russian law enforcement,” he added. “In fact, some ransomware variants run checks on the OS or keyboard language to ensure it is not Russian before proceeding with encryption routines.”

Wherever DragonForce lives, Mitchell thinks it “doesn’t really pose any more of a threat than other ransomware operations” – although he also notes that the extensive support it offers to affiliates could “lower the technical bar to entry even further.”

On the flip side: “Such an operating model might also put a target on its back,” he noted. “If it comes to dominate the ransomware-as-a-service landscape, it might attract unwanted attention from law enforcement in the way that LockBit did before it.” ®