Organisation

DragonForce

RaaS ransomware operator; high-volume since 2023; confirmed SimpleHelp RMM initial access in 2026.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

Is DragonForce filling the gap left by ALPHV and old LockBit after the 2024 takedowns?

Timeline for DragonForce

#319 Apr

Confirmed using SimpleHelp RMM CVE-2024-57726/57728 as initial access vector

Cybersecurity: Threats and Defences: KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is DragonForce ransomware?: DragonForce is a ransomware-as-a-service group active since approximately 2023, operating a leak site and affiliate programme. It was among the highest-volume ransomware operators in March 2026 alongside LockBit5.Source: Mandiant M-Trends 2026
Is DragonForce related to LockBit or ALPHV?: DragonForce is a separate ransomware operation, not a rebrand of LockBit or ALPHV. It has recruited affiliates from disrupted platforms but maintains its own infrastructure and brand. Its rise in 2024 coincided with law enforcement disruption of those platforms.Source: Mandiant / cybersecurity threat intelligence
How does DragonForce ransomware get into networks?: DragonForce affiliates have been confirmed using vulnerabilities in SimpleHelp RMM software (CVE-2024-57726 and CVE-2024-57728) as initial access for ransomware deployment, as disclosed in May 2026.Source: Palo Alto / Check Point Research

Background

DragonForce is a ransomware group maintaining sustained victim-posting activity through 2025 and 2026, operating alongside LockBit5 as one of the two highest-volume active ransomware operators in the period. The group runs a ransomware-as-a-service model with its own leak site. In March 2026, it was among the most active groups within the 808 total ransomware victim postings across 65 active groups that Mandiant's M-Trends 2026 report recorded, a figure 19 per cent up month-on-month and 33 per cent above the 2025 monthly average.

DragonForce has been active since approximately 2023 and is not reliably attributable to a specific nation-state. It has targeted organisations in critical infrastructure, manufacturing, retail and services sectors across the US, UK, Europe and the Asia-Pacific region. The group gained broader attention in 2024 when it emerged as a significant alternative RaaS platform following the disruption of LockBit and ALPHV, recruiting affiliates who had previously worked with those platforms.

In May 2026, DragonForce was confirmed as using flaws in SimpleHelp RMM — CVE-2024-57726 and CVE-2024-57728 — as initial access for ransomware deployment. This confirms a pattern of DragonForce affiliates exploiting remote monitoring and management (RMM) software as the entry point, consistent with the broader trend of threat actors targeting IT management tooling rather than end-user endpoints. The group's sustained volume, alongside the new RMM initial-access confirmation, is consistent with the wider pattern of affiliate-model RaaS volumes remaining high despite law enforcement operations against individual platforms.

How the World Sees Them

The US accounted for approximately 50 per cent of all March 2026 ransomware victim claims globally, making DragonForce-exposed US organisations its primary victim pool.

Defenders

DragonForce's cross-sector targeting and sustained volume make it a top-tier operational priority for SOC teams globally. Ransomware telemetry providers track its leak-site postings in near-real-time.

Law enforcement

No major DragonForce-specific law enforcement action has been publicly confirmed. The group is monitored by Europol, FBI and NCA as part of wider RaaS ecosystem tracking.