In the ever-evolving landscape of cybercrime, a new rivalry is reshaping the ransomware ecosystem. DragonForce, a group with roots in hacktivism, has rapidly transformed into a formidable ransomware-as-a-service (RaaS) cartel, recently launching high-profile attacks on prominent UK retailers including Marks & Spencer (M&S), Harrods, and the Co-op. This surge in activity coincides with a public and aggressive turf war against rival group RansomHub.
DragonForce: From Hacktivists to Ransomware Cartel
Emerging in August 2023, DragonForce initially gained notoriety for their politically motivated attacks. However, by early 2025, the group had pivoted to profit-driven cybercrime, operating a RaaS model that supplies ransomware tools and infrastructure to affiliates. This shift enabled DragonForce to scale its operations rapidly and target larger, more lucrative organizations.
In the spring of 2025, DragonForce affiliates orchestrated a series of attacks on major UK retailers. M&S suffered a significant ransomware incident in late April, resulting in widespread outages and disruptions to online orders and payment systems. The Co-op faced a similar breach days later, with hackers claiming access to sensitive customer and employee data. Harrods was also targeted in this wave of attacks, with DragonForce publicly claiming responsibility.
Escalating Rivalry: DragonForce vs. RansomHub
The recent escalation in DragonForce’s activities has brought it into direct conflict with RansomHub, another dominant RaaS group that rose to prominence following the decline of previous major players like LockBit and ALPHV. Both groups are now fiercely competing for affiliates and market share within the cybercriminal underworld.
In March 2025, DragonForce announced a strategic rebrand as a “cartel,” aiming to attract more affiliates and assert its dominance. Shortly thereafter, RansomHub’s leak site was mysteriously taken offline and replaced with a cryptic message: “R.I.P 3/3/25.” Industry analysts interpret this as a likely hostile action by DragonForce, signaling the start of an open turf war.
DragonForce’s aggression did not stop there. The group began defacing leak sites operated by other ransomware collectives, including BlackLock and Mamona, further intensifying the conflict. In retaliation, a prominent RansomHub member known as “koley” defaced DragonForce’s homepage, accusing the group of betrayal and even alleging collaboration with law enforcement. The feud has since played out across underground forums, with both sides engaging in public taunts and accusations of sabotage.
Implications for Businesses and the Ransomware Ecosystem
Cybersecurity experts warn that this escalating turf war poses significant new risks for organizations:
- Increased Attack Frequency: As rival groups compete, there is a heightened risk of more frequent and aggressive attacks on high-value targets.
- Multiple Extortion Attempts: Companies may face repeated extortion attempts from different groups or affiliates switching allegiances.
- Greater Unpredictability: The volatile environment makes it more difficult for businesses to anticipate and defend against evolving threats.
DragonForce’s transition to a cartel model and its open hostility toward competitors mark a new, more volatile era in ransomware operations. The group’s recent attacks on M&S, Harrods, and the Co-op underscore the growing sophistication and ambition of modern ransomware actors.
For further insights on ransomware trends and best practices for cyber defense, consult with cybersecurity professionals or visit trusted resources such as the UK National Cyber Security Centre (NCSC) and the US Cybersecurity & Infrastructure Security Agency (CISA).
