The DragonForce Cartel: Scattered Spider at the gate
DragonForce is a ransomware-as-a-service (RaaS) cartel active since 2023 that has formed alliances with other threat groups such as Scattered Spider, LAPSUS$, and ShinyHunters. Utilizing Conti-derived ransomware code and advanced BYOVD (Bring Your Own Vulnerable Driver) techniques, DragonForce terminates security processes to evade detection. Their affiliate program enables partners to white-label ransomware payloads and create variants, increasing attack diversity. The group has publicly leaked data from over 200 victims across multiple sectors, with Scattered Spider contributing sophisticated social engineering methods to gain initial access. DragonForce ransomware employs ChaCha20 encryption, complicating data recovery without decryption keys. Although no known exploits are currently in the wild, the group's tactics and partnerships indicate a growing and evolving threat landscape. European organizations face significant risks due to the group's targeting of diverse sectors and use of advanced evasion and social engineering techniques. Mitigation requires tailored defenses focusing on detection of BYOVD attacks, enhanced social engineering awareness, and rapid incident response capabilities. Countries with high digital infrastructure and critical industries, such as Germany, France, the UK, and the Netherlands, are likely to be most affected. The threat severity is assessed as high due to the potential for widespread disruption, data loss, and operational impact without requiring user interaction for exploitation.
AI Analysis
Technical Summary
DragonForce is a ransomware-as-a-service cartel that emerged in 2023, evolving from a traditional ransomware group into a more complex organization by forming alliances with other cybercriminal groups like Scattered Spider, LAPSUS$, and ShinyHunters. This coalition enhances their capabilities, particularly in social engineering and initial access techniques. DragonForce ransomware is based on Conti's leaked source code, sharing significant code overlap and using ChaCha20 encryption to secure victim data, making decryption without keys extremely difficult. The group employs BYOVD attacks, which involve loading vulnerable drivers to disable or terminate security software processes, thereby evading detection and increasing the success rate of their ransomware deployment. Their affiliate program allows partners to white-label ransomware payloads and create customized variants, increasing the diversity and reach of attacks. DragonForce has publicly exposed over 200 victims on their leak site, targeting a broad range of sectors globally, indicating a widespread and persistent threat. The partnership with Scattered Spider, known for sophisticated social engineering and credential theft techniques, has led to high-profile breaches, demonstrating the cartel's ability to combine technical and human attack vectors effectively. Although there are no known exploits in the wild specifically tied to this ransomware, the group's tactics, techniques, and procedures (TTPs) align with advanced persistent threat behaviors, including credential dumping, lateral movement, and process termination to disable defenses. The threat is ongoing and dynamic, with continuous evolution in payload variants and attack methods.
Potential Impact
European organizations face significant risks from DragonForce due to its advanced ransomware capabilities and extensive affiliate network. The use of BYOVD attacks to disable security tools can lead to prolonged undetected breaches, increasing the potential for extensive data encryption and exfiltration. The cartel’s public leak of victim data can result in reputational damage, regulatory penalties under GDPR, and financial losses from ransom payments and recovery costs. Critical infrastructure, healthcare, finance, and manufacturing sectors in Europe are particularly vulnerable due to their reliance on continuous availability and sensitive data. The involvement of Scattered Spider enhances the threat through sophisticated social engineering, increasing the likelihood of successful initial access. The ability to white-label ransomware variants complicates detection and response, as each affiliate may use different payload signatures. Overall, the threat could disrupt operations, compromise sensitive information, and cause significant economic and operational damage across European countries with advanced digital economies and critical infrastructure.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to the specific tactics used by DragonForce. This includes deploying endpoint detection and response (EDR) solutions capable of detecting and blocking BYOVD techniques, such as monitoring for suspicious driver loads and process terminations. Enhancing phishing and social engineering awareness training is critical, especially given Scattered Spider’s involvement in credential theft and initial access. Organizations should enforce strict credential hygiene, including multi-factor authentication (MFA) across all access points, and monitor for unusual authentication patterns. Network segmentation and least privilege access can limit lateral movement post-compromise. Regular backups should be maintained offline and tested for integrity to enable recovery without paying ransom. Incident response plans must be updated to address ransomware scenarios involving process termination and encryption. Threat intelligence sharing within European cybersecurity communities can improve detection of emerging variants. Finally, organizations should monitor public leak sites and threat actor communications to identify potential exposure early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- ip: 185.158.113.114
- hash: 0274b39e79fa142adb154d090fa2d09e
- hash: 027edad8db0e1abe6e88d073a9eb296a
- hash: 1406e538fc441e89ce3d1747017f97a5
- hash: 333d79fc5f5d53d7f4fa285d588982ff
- hash: 3357b96f7baef169e28ed5a24ea79f59
- hash: 3a6e2c775c9c1060c54a9a94e80d923a
- hash: 49874b7a63b6a46e3ec426a713d86b2a
- hash: 74a97d25595ad73129fa946dc3156cec
- hash: 770c1dc157226638f8ad1ac9669f4883
- hash: 9db8f7378e2df01c842cfcb617e64475
- hash: 9f7080e56d9b33fe8465da4759146655
- hash: ada4e228e982a7e309bb6a3308e4872d
- hash: b8c046a7c3a28653662140bb2eaad32d
- hash: b97812a2e6be54e725defbab88357fa2
- hash: beadd181d0dbbbe36e0e311c5211a5dd
- hash: e67e7b8e0fb6baff4f25bb05dd5a5e21
- hash: e84270afa3030b48dc9e0c53a35c65aa
- hash: f0410358a0d9dbd0dff3113d9c744ca7
- hash: f73eb3eef76498f4f73eb3eef76498f4
- hash: f744871f84ddf60cf744871f84ddf60c
- hash: 0b812c1b1ae8299fcaf9ac192587eeed76f5abe4
- hash: 17fd01e160ab44b6b189a9b3cb529bc74f790097
- hash: 1f5ae3b51b2dbf9419f4b7d51725a49023abc81c
- hash: 29baab2551064fa30fb18955ccc8f332bd68ddd4
- hash: 39ac4805442361b6e731e8907d1bacb5ab782f09
- hash: 4a34bbad85312ef34b60818a47f7b5bb8e9a7e26
- hash: 6d38ab49155bda7ed79a0eec8fbb7fb3d37166b1
- hash: 716cb58d66e5a59b53c90d427d17c5cc53a68f80
- hash: 818d0e9047f538fa85283d3343bd7d75e5bfc49f
- hash: 84d3cba5b7cdcd1a231d1a1d860337bdae0dae84
- hash: 88bd49b1bd9c2bde78bc4e394c993035e0fde3ea
- hash: 8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24
- hash: a4566f8bd274ccdd7b0b5f958e1a8097573ad695
- hash: cc51ba31b585d56959d2296bef849db2ed0d37a1
- hash: d5cd3d9243c875521b597bfb3d6d16e48d324e0e
- hash: e8ad966042f179c415c605750488c9df353e4d2e
- hash: eada05f4bfd4876c57c24cd4b41f7a40ea97274c
- hash: fc75a3800d8c2fa49b27b632dc9d7fb611b65201
- hash: 04b14ead49adea9431147c145a89c07fea2c6f1cb515d9d38906c7696d9c91d5
- hash: 0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22
- hash: 1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba
- hash: 44994c720ad936809b54388d75945abd18b5707e20c9ee8f87b8f958ca8f5b16
- hash: 451a42db9c514514ab71218033967554507b59a60ee1fc3d88cbeb39eec99f20
- hash: 4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b
- hash: 56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71
- hash: 80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9
- hash: 849ef3cf2c251f6088d735c7b67c3434e915a1d924efecf4d608dbe9bb01928a
- hash: 8e8f463c37ea7133194731bfe4490e6713dd0133f30fe08a6d069d10fa7db2c6
- hash: 941b0bb479946c833a0436ecb84b94c8468c86c40016f46029e8bf04a22a754e
- hash: ad158a9ef5e849f7a2d10828a9aed89ebded7a2b5b3abb765f5797051cdf4a20
- hash: b10129c175c007148dd4f5aff4d7fb61eb3e4b0ed4897fea6b33e90555f2b845
- hash: b9bba02d18bacc4bc8d9e4f70657d381568075590cc9d0e7590327d854224b32
- hash: c844d02c91d5e6dc293de80085ad2f69b5c44bc46ec9fdaa4e3efbda062c871c
- hash: d67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7
- hash: dca4102fba483bf0060427e0d583a1f61d079bf0754db4d61ff2969cc1bc3474
- hash: df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
- hash: e4c44d0f462fce02b2c31555b12c022cdd6eae6492fd3a122e32e105fc5a54f8
- hash: f58af71e542c67fbacf7acc53a43243a5301d115eb41e26e4d5932d8555510d0
- hash: f5df98b344242c5eaad1fce421c640fadd71f7f21379d2bf7309001dfeb25972
- url: http://185.158.113.114:5000/affiliate/builder.
- url: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
- url: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
- url: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news
- domain: 3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
- domain: z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
The DragonForce Cartel: Scattered Spider at the gate
Description
DragonForce is a ransomware-as-a-service (RaaS) cartel active since 2023 that has formed alliances with other threat groups such as Scattered Spider, LAPSUS$, and ShinyHunters. Utilizing Conti-derived ransomware code and advanced BYOVD (Bring Your Own Vulnerable Driver) techniques, DragonForce terminates security processes to evade detection. Their affiliate program enables partners to white-label ransomware payloads and create variants, increasing attack diversity. The group has publicly leaked data from over 200 victims across multiple sectors, with Scattered Spider contributing sophisticated social engineering methods to gain initial access. DragonForce ransomware employs ChaCha20 encryption, complicating data recovery without decryption keys. Although no known exploits are currently in the wild, the group's tactics and partnerships indicate a growing and evolving threat landscape. European organizations face significant risks due to the group's targeting of diverse sectors and use of advanced evasion and social engineering techniques. Mitigation requires tailored defenses focusing on detection of BYOVD attacks, enhanced social engineering awareness, and rapid incident response capabilities. Countries with high digital infrastructure and critical industries, such as Germany, France, the UK, and the Netherlands, are likely to be most affected. The threat severity is assessed as high due to the potential for widespread disruption, data loss, and operational impact without requiring user interaction for exploitation.
AI-Powered Analysis
Technical Analysis
DragonForce is a ransomware-as-a-service cartel that emerged in 2023, evolving from a traditional ransomware group into a more complex organization by forming alliances with other cybercriminal groups like Scattered Spider, LAPSUS$, and ShinyHunters. This coalition enhances their capabilities, particularly in social engineering and initial access techniques. DragonForce ransomware is based on Conti's leaked source code, sharing significant code overlap and using ChaCha20 encryption to secure victim data, making decryption without keys extremely difficult. The group employs BYOVD attacks, which involve loading vulnerable drivers to disable or terminate security software processes, thereby evading detection and increasing the success rate of their ransomware deployment. Their affiliate program allows partners to white-label ransomware payloads and create customized variants, increasing the diversity and reach of attacks. DragonForce has publicly exposed over 200 victims on their leak site, targeting a broad range of sectors globally, indicating a widespread and persistent threat. The partnership with Scattered Spider, known for sophisticated social engineering and credential theft techniques, has led to high-profile breaches, demonstrating the cartel's ability to combine technical and human attack vectors effectively. Although there are no known exploits in the wild specifically tied to this ransomware, the group's tactics, techniques, and procedures (TTPs) align with advanced persistent threat behaviors, including credential dumping, lateral movement, and process termination to disable defenses. The threat is ongoing and dynamic, with continuous evolution in payload variants and attack methods.
Potential Impact
European organizations face significant risks from DragonForce due to its advanced ransomware capabilities and extensive affiliate network. The use of BYOVD attacks to disable security tools can lead to prolonged undetected breaches, increasing the potential for extensive data encryption and exfiltration. The cartel’s public leak of victim data can result in reputational damage, regulatory penalties under GDPR, and financial losses from ransom payments and recovery costs. Critical infrastructure, healthcare, finance, and manufacturing sectors in Europe are particularly vulnerable due to their reliance on continuous availability and sensitive data. The involvement of Scattered Spider enhances the threat through sophisticated social engineering, increasing the likelihood of successful initial access. The ability to white-label ransomware variants complicates detection and response, as each affiliate may use different payload signatures. Overall, the threat could disrupt operations, compromise sensitive information, and cause significant economic and operational damage across European countries with advanced digital economies and critical infrastructure.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to the specific tactics used by DragonForce. This includes deploying endpoint detection and response (EDR) solutions capable of detecting and blocking BYOVD techniques, such as monitoring for suspicious driver loads and process terminations. Enhancing phishing and social engineering awareness training is critical, especially given Scattered Spider’s involvement in credential theft and initial access. Organizations should enforce strict credential hygiene, including multi-factor authentication (MFA) across all access points, and monitor for unusual authentication patterns. Network segmentation and least privilege access can limit lateral movement post-compromise. Regular backups should be maintained offline and tested for integrity to enable recovery without paying ransom. Incident response plans must be updated to address ransomware scenarios involving process termination and encryption. Threat intelligence sharing within European cybersecurity communities can improve detection of emerging variants. Finally, organizations should monitor public leak sites and threat actor communications to identify potential exposure early.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/"]
- Adversary
- DragonForce
- Pulse Id
- 690b1a8fb4a0df0cf6a16178
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.158.113.114 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0274b39e79fa142adb154d090fa2d09e | — | |
hash027edad8db0e1abe6e88d073a9eb296a | — | |
hash1406e538fc441e89ce3d1747017f97a5 | — | |
hash333d79fc5f5d53d7f4fa285d588982ff | — | |
hash3357b96f7baef169e28ed5a24ea79f59 | — | |
hash3a6e2c775c9c1060c54a9a94e80d923a | — | |
hash49874b7a63b6a46e3ec426a713d86b2a | — | |
hash74a97d25595ad73129fa946dc3156cec | — | |
hash770c1dc157226638f8ad1ac9669f4883 | — | |
hash9db8f7378e2df01c842cfcb617e64475 | — | |
hash9f7080e56d9b33fe8465da4759146655 | — | |
hashada4e228e982a7e309bb6a3308e4872d | — | |
hashb8c046a7c3a28653662140bb2eaad32d | — | |
hashb97812a2e6be54e725defbab88357fa2 | — | |
hashbeadd181d0dbbbe36e0e311c5211a5dd | — | |
hashe67e7b8e0fb6baff4f25bb05dd5a5e21 | — | |
hashe84270afa3030b48dc9e0c53a35c65aa | — | |
hashf0410358a0d9dbd0dff3113d9c744ca7 | — | |
hashf73eb3eef76498f4f73eb3eef76498f4 | — | |
hashf744871f84ddf60cf744871f84ddf60c | — | |
hash0b812c1b1ae8299fcaf9ac192587eeed76f5abe4 | — | |
hash17fd01e160ab44b6b189a9b3cb529bc74f790097 | — | |
hash1f5ae3b51b2dbf9419f4b7d51725a49023abc81c | — | |
hash29baab2551064fa30fb18955ccc8f332bd68ddd4 | — | |
hash39ac4805442361b6e731e8907d1bacb5ab782f09 | — | |
hash4a34bbad85312ef34b60818a47f7b5bb8e9a7e26 | — | |
hash6d38ab49155bda7ed79a0eec8fbb7fb3d37166b1 | — | |
hash716cb58d66e5a59b53c90d427d17c5cc53a68f80 | — | |
hash818d0e9047f538fa85283d3343bd7d75e5bfc49f | — | |
hash84d3cba5b7cdcd1a231d1a1d860337bdae0dae84 | — | |
hash88bd49b1bd9c2bde78bc4e394c993035e0fde3ea | — | |
hash8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24 | — | |
hasha4566f8bd274ccdd7b0b5f958e1a8097573ad695 | — | |
hashcc51ba31b585d56959d2296bef849db2ed0d37a1 | — | |
hashd5cd3d9243c875521b597bfb3d6d16e48d324e0e | — | |
hashe8ad966042f179c415c605750488c9df353e4d2e | — | |
hasheada05f4bfd4876c57c24cd4b41f7a40ea97274c | — | |
hashfc75a3800d8c2fa49b27b632dc9d7fb611b65201 | — | |
hash04b14ead49adea9431147c145a89c07fea2c6f1cb515d9d38906c7696d9c91d5 | — | |
hash0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22 | — | |
hash1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba | — | |
hash44994c720ad936809b54388d75945abd18b5707e20c9ee8f87b8f958ca8f5b16 | — | |
hash451a42db9c514514ab71218033967554507b59a60ee1fc3d88cbeb39eec99f20 | — | |
hash4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b | — | |
hash56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71 | — | |
hash80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9 | — | |
hash849ef3cf2c251f6088d735c7b67c3434e915a1d924efecf4d608dbe9bb01928a | — | |
hash8e8f463c37ea7133194731bfe4490e6713dd0133f30fe08a6d069d10fa7db2c6 | — | |
hash941b0bb479946c833a0436ecb84b94c8468c86c40016f46029e8bf04a22a754e | — | |
hashad158a9ef5e849f7a2d10828a9aed89ebded7a2b5b3abb765f5797051cdf4a20 | — | |
hashb10129c175c007148dd4f5aff4d7fb61eb3e4b0ed4897fea6b33e90555f2b845 | — | |
hashb9bba02d18bacc4bc8d9e4f70657d381568075590cc9d0e7590327d854224b32 | — | |
hashc844d02c91d5e6dc293de80085ad2f69b5c44bc46ec9fdaa4e3efbda062c871c | — | |
hashd67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7 | — | |
hashdca4102fba483bf0060427e0d583a1f61d079bf0754db4d61ff2969cc1bc3474 | — | |
hashdf5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 | — | |
hashe4c44d0f462fce02b2c31555b12c022cdd6eae6492fd3a122e32e105fc5a54f8 | — | |
hashf58af71e542c67fbacf7acc53a43243a5301d115eb41e26e4d5932d8555510d0 | — | |
hashf5df98b344242c5eaad1fce421c640fadd71f7f21379d2bf7309001dfeb25972 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://185.158.113.114:5000/affiliate/builder. | — | |
urlhttp://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion | — | |
urlhttp://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion | — | |
urlhttp://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion | — | |
domainz3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion | — |
Threat ID: 690dba651280f279b842fd08
Added to database: 11/7/2025, 9:22:45 AM
Last enriched: 11/7/2025, 9:24:23 AM
Last updated: 11/20/2025, 9:32:26 AM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
HelixGuard uncovers malicious "spellchecker" packages on PyPI using multi-layer encryption to steal crypto wallets.
MediumThreatFox IOCs for 2025-11-19
MediumUK Exposes Bulletproof Hosting Operator Linked to BlackBasta, Evil Corp and LockBit Ransomware
MediumLicense to Encrypt: Make Their Move
MediumWEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.