The ransomware world isn’t just evolving—it’s fragmenting, decentralizing, and growing more dangerous. In this volatile landscape, DragonForce is emerging as one of the most intriguing and threatening actors of 2025. Born from possible hacktivist roots and now fully immersed in the economics of cyber crime, DragonForce represents a new era of hybrid threats: ideologically ambiguous, technologically agile, and fiercely opportunistic.
A Ransomware Group Built for the Gig Economy
DragonForce first appeared in December 2023 with the launch of its “DragonLeaks” dark web portal. Some researchers trace its lineage to DragonForce Malaysia, a long-standing hacktivist collective. But its current trajectory is far from purely ideological.
By 2025, DragonForce has matured into a ransomware group with a business model tailored to attract displaced or freelance affiliates. Key features include:
- 20% revenue share: A lower commission than most ransomware-as-a-service (RaaS) offerings.
- White-label ransomware kits: Affiliates can create unique ransomware brands, compile their own binaries, and customize ransom notes and file extensions.
- Pre-built infrastructure: Access to negotiation tools, encrypted storage, and templated leak sites (branded “RansomBay”).
Following the April 2025 disappearance of RansomHub, DragonForce moved quickly to absorb its affiliates, pitching itself as an agile alternative to collapsed legacy operators. In a world where trust in big-name RaaS brands is eroding, DragonForce offers anonymity, flexibility, and profit.
Ransomware in 2025: A Historic Surge
DragonForce’s rise is happening during a record-breaking spike in global ransomware activity. According to Check Point’s State of Ransomware Q1 2025 report:
- 2,289 publicly named ransomware victims were reported in just Q1—a 126% year-over-year increase, setting an all-time high.
- 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats.
- Even with inflated claims and recycled victim lists becoming common, the adjusted monthly average of confirmed victims has surged past 650 per month—a staggering rise from ~450/month in 2024.
Ransomware isn’t just growing in volume. It’s also mutating in method. Many groups increasingly focus on data extortion without encryption, reducing operational complexity and accelerating monetization.
Retail in the Crosshairs: UK Under Siege
In April and May 2025, DragonForce launched a campaign targeting high-profile UK retailers. These attacks triggered multi-day outages of e-commerce platforms, loyalty programs, and internal operations. And the campaign may reflect a broader strategic pivot: away from ransom only income, toward harvesting high-volume PII for secondary monetization.
Check Point data confirms the trend. The consumer goods & services sector (which includes retail) is now the 5th most attacked vertical in the UK, experiencing:
- 1,337 weekly cyberattacks per organization.
- 8% higher attack rate than the national average.
- A 22% year-over-year increase for the sector.
This aligns with broader ransomware targeting preferences—particularly for groups like Cl0p, which also show a disproportionate focus on this vertical.
A Fragmented Ecosystem Feeding the Fire
DragonForce isn’t the only one adapting. With LockBit and ALPHV dismantled by law enforcement in 2024, the ransomware ecosystem has fragmented:
- RansomHub briefly filled the vacuum before disappearing in April 2025.
- Dozens of mid-tier actors are now competing for affiliates, including groups like Akira, Medusa, and Play.
- Affiliate loyalty is low—and business models are getting aggressive, with many offering 80/20 splits and zero up-front costs.
DragonForce stands out by merging the simplicity of a platform with the influence of a movement. It offers not just tools, but identity and alignment—however vague or flexible that may be.
AI, Automation, and Ransomware’s Next Act
Check Point’s 2025 reports also note a chilling trend: the increased use of AI in malware development and campaign scaling.
- Groups like FunkSec have used LLM-assisted malware builders, lowering the technical barrier to entry.
- Deepfake audio and visual impersonation tools are being deployed to enhance social engineering and victim manipulation.
- Criminals now use GenAI to manage multilingual phishing campaigns, BEC attacks, and even OTP theft through automated call bots.
This trend is accelerating the professionalization of ransomware operations. It also makes defenders’ jobs exponentially harder.
Infinity Protection: Built for the Threats of Now
Check Point is meeting this moment with AI-powered, prevention-first cyber security:
- Infinity ThreatCloud AI: Detects and blocks 99.8% of malware and phishing, preventing over 3 billion attacks annually.
- Infinity AI Copilot: Automates security policy deployment, incident response, and threat hunting—freeing up teams and closing talent gaps.
- Complete coverage: From endpoints to cloud, data centers to SaaS, with unified visibility across the entire attack surface.
In a threat landscape defined by ransomware, fake branding, and AI-powered automation, only real-time, consolidated security intelligence can keep organizations ahead.
Conclusion: Ransomware-as-a-Service, Crime as a Brand
DragonForce isn’t just a ransomware gang—it’s a marketing strategy, a business model, and an ecosystem all rolled into one. And that makes it more dangerous than most. Its success lies not in technical sophistication, but in lowering the barrier to cyber crime, in giving ex-affiliates a home, in letting new actors build personal brands, and in capitalizing on a world still struggling to adapt to the ransomware-as-a-service reality. The future of ransomware is decentralized, automated, and disturbingly accessible.