The global ransomware ecosystem is undergoing a profound transformation in 2025, marked by unprecedented fragmentation, decentralization, and sophistication.
Amid this shifting threat landscape, DragonForce has emerged as a formidable and enigmatic actor, blending the tactics of hacktivism with the economics of cybercrime to create a new breed of hybrid threat.
The group, which first surfaced in December 2023 with its “DragonLeaks” dark web portal, appears to have roots in the longstanding hacktivist collective DragonForce Malaysia.
However, its current operations now reflect a clear shift towards monetization and professionalization, positioning DragonForce at the forefront of the ransomware-as-a-service (RaaS) surge gripping the cybercriminal underworld.
Decentralization and the Surge of Ransomware Activity
Check Point’s State of Ransomware Q1 2025 report highlights the scale of this crisis, with 2,289 publicly named ransomware victims reported in just the first quarter-a staggering 126% increase year over year and an all-time record.
At least 74 distinct ransomware groups are now active globally, a testament to the explosion of affiliate-driven campaigns and the proliferation of customizable malware kits.
Even after factoring in inflated claims and rehashed victim lists, the adjusted monthly average of confirmed ransomware victims has soared to over 650, up dramatically from roughly 450 per month in 2024.
This surge is paralleled by a shift in attack methodology, with an increasing focus on data extortion-often foregoing encryption in favor of speed and operational simplicity.
DragonForce’s Business Model and Affiliate Strategy
DragonForce has capitalized on the ongoing collapse of major RaaS brands like LockBit, ALPHV, and, most recently, RansomHub, which vanished abruptly in April 2025.
In the resulting power vacuum, DragonForce’s agility and innovative business model have attracted a wave of displaced or freelance affiliates.
The group offers a competitive 20% revenue share, undercutting traditional commission rates and appealing to cybercriminals seeking more favorable terms.
Its platform provides “white-label” ransomware kits, allowing affiliates to develop unique ransomware brands, customize binaries, and tailor ransom notes and file extensions.
Additionally, DragonForce boasts a suite of operational infrastructure tools, including encrypted storage, negotiation interfaces, and templated leak sites branded as “RansomBay,” streamlining the attack process for even minimally skilled actors.
This approach has fueled rapid affiliate growth, as trust in established RaaS brands erodes due to law enforcement crackdowns and financial instability.
DragonForce’s ability to offer both anonymity and operational flexibility has set it apart in an increasingly competitive and unpredictable ecosystem.
The group’s strategic pivot is also evident in its targeting preferences, exemplified by a wave of high-impact attacks on UK retail giants in April and May 2025.
These campaigns triggered prolonged outages of e-commerce platforms and loyalty programs, and point to an apparent expansion into high-volume PII harvesting for secondary monetization.
DragonForce’s rise coincides with a broader industry trend: the weaponization of artificial intelligence to enhance both scale and sophistication of attacks.
Check Point’s 2025 analyses reveal that adversaries-including groups like FunkSec-are leveraging large language models to automate malware development and accelerate campaign orchestration.
Advances in deepfake audio and video are being exploited for targeted social engineering, while generative AI systems manage multilingual phishing, business email compromise, and even one-time-password theft via automated call bots.
These innovations are drastically lowering technical barriers for would-be attackers and driving the professionalization of ransomware operations.
The retail sector, particularly in the UK, remains in the crosshairs. Check Point reports show that organizations in consumer goods and services face an average of 1,337 weekly cyberattacks-an 8% higher rate than the national average and a 22% annual increase.
DragonForce, alongside groups like Cl0p, exemplifies this growing focus on high-value targets susceptible to both operational disruption and data exploitation.
As 2025 unfolds, DragonForce illustrates the convergence of ideological ambiguity, technological agility, and ruthless opportunism that defines the new ransomware vanguard.
With the ransomware ecosystem increasingly fragmented and automated, organizations must brace for a threat environment that is not just larger, but fundamentally transformed.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
