Description: DragonForce Ransomware Gang Expands Operations, Targets 120+ Organizations Worldwide The DragonForce ransomware gang has compromised over 120 organizations globally in the past year, evolving from a ransomware-as-a-service (RaaS) model into a full-fledged ransomware cartel. According to a report by Bitdefender, the group gains initial access through phishing, credential stuffing, and the exploitation of critical vulnerabilities, including CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893. Once inside networks, DragonForce employs living-off-the-land (LotL) techniques to maintain persistence and move laterally, evading detection. In one high-profile intrusion last year, the group demanded a $7 million ransom, underscoring its financial motivations. Beyond its own operations, DragonForce has aggressively expanded its influence by partnering with other RaaS groups and attempting to take over rival operations, including LockBit and RansomHub. The gang has vandalized competitors’ data leak sites and targeted their attack infrastructure in a bid to dominate the ransomware landscape. These tactics signal a shift toward consolidation and heightened competition among cybercriminal syndicates.

Description: Ransomware Attacks Hit Record Highs in 2025 Despite Major Disruptions A new study by Symantec and the Carbon Black Threat Hunter Team reveals that ransomware attacks surged to unprecedented levels in 2025, with threat actors adapting rapidly to law enforcement crackdowns and evolving their extortion tactics. The report documented 4,737 claimed ransomware attacks the highest annual total on record despite the collapse of two major operations. RansomHub, the most active group at the time, abruptly shut down in April 2025, causing a brief dip in activity. However, former affiliates quickly migrated to other groups, restoring attack volumes within weeks. LockBit (tracked as Syrphid) also failed to recover after late-2024 law enforcement actions. New leaders emerged to fill the void. Akira and Qilin each accounted for 16% of attacks, while Inc, Safepay, and the newly identified DragonForce contributed smaller but significant shares. The fluid movement of affiliates, access brokers, and tooling between groups sustained overall activity levels. Beyond traditional encryption-based ransomware, extortion campaigns without encryption surged in 2025. These attacks focused on data theft and public leaks pushed total extortion incidents to 6,182, a 23% increase from 2024. Snakefly’s Cl0p operation played a key role, exploiting vulnerabilities in enterprise software to target government and industrial sectors at scale. Social engineering also became a dominant attack vector, with groups like ShinyHunters and Scattered Spider using phone-based impersonation, credential harvesting, and OAuth abuse to breach cloud environments. Attackers tricked employees into authorizing malicious apps or sharing authentication codes, reducing reliance on malware. A new ransomware strain, Warlock, drew attention for its ties to older espionage tooling. Exploiting a zero-day in Microsoft SharePoint and using DLL sideloading, Warlock incorporated components linked to Chinese state-sponsored activity, blending ransomware with broader intrusion campaigns. Despite these shifts, attack chains remained consistent. Threat actors relied on "living off the land" techniques, leveraging PowerShell, remote management tools, and credential dumping to evade detection. Malware often appeared late in the intrusion, just before encryption or data theft. The findings underscore how ransomware operations continue to thrive, even as law enforcement disrupts key players, by diversifying extortion methods and exploiting shared infrastructure.