Operator dossier

dragonransomware is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 39 public victims claimed by this operator between December 15, 2024 and December 17, 2024. DragonRansomware is a relatively new ransomware operation that emerged in December 2024, appearing to be financially motivated based on its targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to its recent emergence, though its global targeting scope suggests either international operations or ransomware-as-a-service capabilities. With 39 documented victims across multiple continents, the group demonstrates a broad attack methodology that has successfully compromised organizations in India, the United States, Saudi Arabia, the United Kingdom, and China, with particular focus on technology companies, business services, transportation and logistics firms, and educational institutions. The group's attack vectors, encryption methods, and specific tools remain largely undocumented in public threat intelligence reporting from major security firms and government agencies. Given the limited timeframe since its first observation in December 2024, notable high-profile campaigns and major incidents have not yet been extensively documented by established threat intelligence sources such as CISA, FBI, or leading cybersecurity research organizations. DragonRansomware appears to remain active as of early 2025, though comprehensive analysis of its operational capabilities and long-term threat potential requires additional observation and documentation by the cybersecurity community.

Most-targeted sectors

Technology10 victims
Business Services9 victims
Transportation/Logistics5 victims
Education4 victims
Not Found3 victims
Manufacturing2 victims

Most-affected countries

IN10 victims
US5 victims
SA4 victims
GB2 victims
CN

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

dragonransomware

39 victims indexed · first seen 1 year ago · last activity 1 year ago

Victims indexed

#117 of 348 tracked operators

<1m

Active period

Dec 2024 → Dec 2024

Countries hit

top IN · 10

At a glance

Status: inactive
First seen: 1 year ago
Last activity: 1 year ago
Primary sector: Technology · 10 hits

About

DragonRansomware is a relatively new ransomware operation that emerged in December 2024, appearing to be financially motivated based on its targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to its recent emergence, though its global targeting scope suggests either international operations or ransomware-as-a-service capabilities. With 39 documented victims across multiple continents, the group demonstrates a broad attack methodology that has successfully compromised organizations in India, the United States, Saudi Arabia, the United Kingdom, and China, with particular focus on technology companies, business services, transportation and logistics firms, and educational institutions. The group's attack vectors, encryption methods, and specific tools remain largely undocumented in public threat intelligence reporting from major security firms and government agencies. Given the limited timeframe since its first observation in December 2024, notable high-profile campaigns and major incidents have not yet been extensively documented by established threat intelligence sources such as CISA, FBI, or leading cybersecurity research organizations. DragonRansomware appears to remain active as of early 2025, though comprehensive analysis of its operational capabilities and long-term threat potential requires additional observation and documentation by the cybersecurity community.

Timeline

1 months

2024-12-01T00:00:00+00:002024-12-01T00:00:00+00:00

Top countries

🇮🇳 IN

🇺🇸 US

🇸🇦 SA

🇬🇧 GB

🇨🇳 CN

🇦🇪 AE

🇺🇾 UY

🇰🇷 KR

IN dossier →US dossier →SA dossier →GB dossier →

Top sectors

Technology

Business Services

Transportation/Logistics

Education

Not Found

Manufacturing

Hospitality and Tourism

Financial

Technology dossier →Business Services dossier →Transportation/Logistics dossier →Education dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.