Threat Actor Spotlight: DragonForce
APRIL 2025
Into the Dragon’s Den
This year has already been marked by hostile takeovers and unprecedented levels of aggression among ransomware groups.
Ransomware groups operate like well-oiled corporations, competing for market share, talent, and brand recognition. Groups like DragonForce, RansomHub, and LockBit actively develop ransomware tools to attract affiliates. Just like legitimate businesses, they offer generous commission plans, provide training, customer support channels, and monitor a funnel of 'sales opportunities' (attacks to you and me). These groups even recruit and retain labor. Young hackers today are choosing "which team to sign up with" based on payout history, tool reliability, and operational support.
As ransom payment rates decline and competition intensifies, these groups are increasingly becoming more aggressive — not just in their tactics, but in their business operations. Some are outright acquiring their rivals. Unsurprisingly, not all of these "mergers" are peaceful or consensual.
“The consolidation of threat actor groups is directly resulting in more aggressive cyber insurance cases.”
DragonForce: From Hacktivism to Hostile Takeovers
DragonForce, initially known for politically motivated attacks, has reemerged as one of the most aggressive ransomware groups in 2025. In a bold move earlier this year, DragonForce claimed to have taken control of RansomHub’s infrastructure. This coincided with RansomHub’s data leak site going dark—suggesting this was no friendly acquisition.
Notable Shifts:
No Encryption, Just Extortion: In several cases, DragonForce exfiltrates data and skips encryption altogether, focusing solely on reputational and regulatory pressure to drive payments.
Direct Harassment Campaigns: They contact not only the victim company, but employees, clients, and vendors — maximizing emotional pressure.
Rapid Exploitation of CVEs: DragonForce closely monitors CVE disclosures and quickly weaponizes new vulnerabilities, focusing on remote access tools like RDP and ScreenConnect.
"Live off the Land": They make minimal moves, escalating privileges fast, pivoting to Active Directory, and avoiding noisy scans.
RansomHub: Absorbed or Out?
RansomHub was the fastest-rising ransomware-as-a-service group in late 2024, known for high-volume attacks and its strict affiliate model. But by Q1 2025, its infrastructure went offline, and DragonForce began claiming credit. Whether this was a technical compromise, internal defection, or full hostile takeover remains unclear—but the brand appears absorbed or shelved.
BlackLock (formerly El Dorado): Growth, Rebrand, Exposure
Once known as El Dorado, this group rebranded as BlackLock and quickly scaled operations through 2024. In early 2025, a security firm exploited a vulnerability in their data leak site, exposing backend operations and alerting victims. Despite this, BlackLock remains highly active in the RaaS space.
Implications for Cyber Insurers & Breach Counsel
Key Takeaways:
Expect Aggression: DragonForce will apply extraordinary psychological pressure. Your policyholders may receive direct calls. Prepare them to hang up and route all communication through approved channels.
Re-Exposure Risks: Data stolen under one group’s name may now be repackaged and leaked again by another. Deals struck with RansomHub may not apply if DragonForce now controls the stolen data.
Fast-Moving Threats: These groups no longer sit idle inside networks. They attack fast, escalate faster, and don’t wait for you to react.
Recommendations:
Educate internal teams and clients about TAs' modern pressure tactics
Confirm that insurance policies are updated to reflect TA rebranding and escalation methods
Designate comms protocols early as negotiator-only chats help defuse social engineering
Patch aggressively and prioritize RDP and third-party access tool monitoring
PNG Cyber offers 24/7 emergency assistance. If you need incident response support, please contact us at (888) 757-3776 or email us at incidentresponse@png-cyber.com.
