The CCB has published a detailed threat actor profile on DragonForce, a rapidly expanding Ransomware-as-a-Service (RaaS) operator that has compromised over 400 organisations worldwide including two Belgian entities in the construction and business services sectors. This report provides an in-depth assessment of the group's origin, tactics, targeting patterns, and recommended defences.
Key findings
- Financially motivated RaaS operator: no evidence of nation-state sponsorship or ideological affiliation. Operational rules explicitly prohibit attacks on CIS/Russia, suggesting a Russian or CIS origin.
- Double extortion model: DragonForce both encrypts victim data and exfiltrates it before deployment, maximising ransom leverage through the threat of public data disclosure.
- 400+ victims across 30+ countries: the United States is the primary target. Two Belgian organisations have been confirmed victims, with resulting operational downtime and data exposure.
- Top targeted sectors: manufacturing, business services, technology, construction, and healthcare; chosen for their high economic value and relatively weaker security postures.
- Aggressive ecosystem expansion: DragonForce has absorbed or displaced rival groups including BlackLock and RansomHub, consolidating affiliates under a growing cartel structure.
- Attack activity projected to peak in 2026: sustained affiliate recruitment and an evolving RaaS model indicate an upward operational tempo.