DragonForce Ransomware: A New Era of Hybrid Extortion Threatening UK Retailers

In early 2025, the DragonForce ransomware group has emerged as a formidable threat, orchestrating sophisticated cyberattacks against major UK retailers, including Marks & Spencer (M&S), the Co-op, and Harrods. These incidents have not only disrupted operations but have also exposed vulnerabilities in the cybersecurity frameworks of these organizations.

The Evolution of DragonForce

Originally surfacing in December 2023, DragonForce has transitioned from its hacktivist origins into a financially motivated ransomware-as-a-service (RaaS) operation. The group offers affiliates:

• White-label ransomware kits: Allowing customization of ransomware payloads and ransom notes.
• Pre-built infrastructure: Including negotiation tools and encrypted storage.
• Revenue sharing model: Offering affiliates up to 80% of the ransom proceeds.

This model has attracted a diverse range of cybercriminals, expanding DragonForce’s reach and impact.

Attack Vectors and Techniques

DragonForce employs a combination of tactics to infiltrate target networks:

• Social Engineering: Impersonating employees to deceive IT help desks into resetting passwords, granting unauthorized access to internal systems.
• Exploitation of Vulnerabilities: Leveraging unpatched software flaws to gain entry into networks.
• Use of Legitimate Tools: Deploying tools like Cobalt Strike and Mimikatz for lateral movement and privilege escalation within networks.

Indicators of Compromise (IOCs)

Organizations should be vigilant for the following IOCs associated with DragonForce ransomware:

• File Extensions: Encrypted files often have the “.dragonforce_encrypted” extension.
• Ransom Notes: Presence of “readme.txt” files containing ransom demands and contact information.
• Unusual Network Activity: Unexpected outbound connections, especially to known malicious IP addresses.
• Unauthorized Access Attempts: Multiple failed login attempts or password reset requests.

Impact on UK Retailers

The attacks have had significant repercussions:

• Marks & Spencer: Faced operational disruptions, including suspension of online orders and stock shortages, leading to an estimated £30 million in financial impact.
• Co-op: Experienced system shutdowns and confirmed unauthorized access to limited member data.
• Harrods: Reported a hacking attempt, which was contained with minimal disruption.

These incidents underscore the critical need for robust cybersecurity measures in the retail sector.

Armoryze: Your Trusted Partner in Cyber Resilience

At Armoryze, we specialize in fortifying organizations against evolving cyber threats. Our services include:

• Penetration Testing & Vulnerability Assessments: Identifying and mitigating potential security weaknesses.
• Incident Response Planning: Developing strategies to effectively respond to and recover from cyber incidents.
• Cyber Essentials & Cyber Essentials Plus Certification: Assisting businesses in achieving recognized security standards.
• ISO 27001 Certification: Guiding organizations in establishing comprehensive information security management systems and certifying against ISO27001 standard.

Our team of experts is dedicated to enhancing your organization’s resilience against threats like DragonForce.

Conclusion

The rise of DragonForce signifies a new chapter in cybercrime, characterized by hybrid extortion tactics and decentralized operations. UK businesses, particularly in the retail sector, must proactively strengthen their cybersecurity frameworks to mitigate these evolving threats.

Armoryze stands ready to support your organization in navigating this complex landscape, ensuring resilience against current and future cyber threats. For more information on how Armoryze can enhance your cybersecurity posture, contact us today.