DragonForce

DragonForce is a ransomware group maintaining sustained victim-posting activity through March and April 2026, operating alongside LockBit5 as one of the two highest-volume active ransomware operators in the period. The group runs a ransomware-as-a-service model with its own leak site. In March 2026, it was among the most active groups within the 808 total ransomware victim postings across 65 active groups that Mandiant's M-Trends 2026 report recorded, a figure 19 per cent up month-on-month and 33 per cent above the 2025 monthly average.

DragonForce has been active since approximately 2023 and is not reliably attributable to a specific nation-state. It has targeted organisations in critical infrastructure, manufacturing, retail and services sectors across the US, UK, Europe and the Asia-Pacific region. The group gained broader attention in 2024 when it emerged as a significant alternative RaaS platform following the disruption of LockBit and ALPHV, recruiting affiliates who had previously worked with those platforms.

The group's sustained volume in early 2026, alongside LockBit5 and the newly appearing Coinbasecartel group, is consistent with the wider March 2026 data showing aggregate ransomware activity well above the 2025 monthly average despite Major law enforcement operations against RaaS platforms in 2024. This indicates that affiliate-model RaaS volume is not determined by single-platform disruptions but by the total ecosystem capacity across multiple platforms.