Skip to main content

Operator dossier

dragonransomware is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 39 public victims claimed by this operator between December 15, 2024 and December 17, 2024. DragonRansomware is a relatively new ransomware operation that emerged in December 2024, appearing to be financially motivated based on its targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to its recent emergence, though its global targeting scope suggests either international operations or ransomware-as-a-service capabilities. With 39 documented victims across multiple continents, the group demonstrates a broad attack methodology that has successfully compromised organizations in India, the United States, Saudi Arabia, the United Kingdom, and China, with particular focus on technology companies, business services, transportation and logistics firms, and educational institutions. The group's attack vectors, encryption methods, and specific tools remain largely undocumented in public threat intelligence reporting from major security firms and government agencies. Given the limited timeframe since its first observation in December 2024, notable high-profile campaigns and major incidents have not yet been extensively documented by established threat intelligence sources such as CISA, FBI, or leading cybersecurity research organizations. DragonRansomware appears to remain active as of early 2025, though comprehensive analysis of its operational capabilities and long-term threat potential requires additional observation and documentation by the cybersecurity community.

Most-targeted sectors

Most-affected countries

Recent disclosures by dragonransomware

All 39 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for dragonransomware

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

dragonransomware

39 victims indexed · first seen 2 years ago · last activity 2 years ago

39
Victims indexed
#122 of 364 tracked operators
<1m
Active period
Dec 2024 → Dec 2024
10
Countries hit
top IN · 10

At a glance

Status
inactive
First seen
2 years ago
Last activity
2 years ago
Primary sector
Technology · 10 hits

About

DragonRansomware is a relatively new ransomware operation that emerged in December 2024, appearing to be financially motivated based on its targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to its recent emergence, though its global targeting scope suggests either international operations or ransomware-as-a-service capabilities. With 39 documented victims across multiple continents, the group demonstrates a broad attack methodology that has successfully compromised organizations in India, the United States, Saudi Arabia, the United Kingdom, and China, with particular focus on technology companies, business services, transportation and logistics firms, and educational institutions. The group's attack vectors, encryption methods, and specific tools remain largely undocumented in public threat intelligence reporting from major security firms and government agencies. Given the limited timeframe since its first observation in December 2024, notable high-profile campaigns and major incidents have not yet been extensively documented by established threat intelligence sources such as CISA, FBI, or leading cybersecurity research organizations. DragonRansomware appears to remain active as of early 2025, though comprehensive analysis of its operational capabilities and long-term threat potential requires additional observation and documentation by the cybersecurity community.

Timeline

1 months
2024-12-01T00:00:00+00:00 · 39
2024-12-01T00:00:00+00:002024-12-01T00:00:00+00:00

Top countries

🇮🇳 India
10
🇺🇸 United States
5
🇸🇦 Saudi Arabia
4
🇬🇧 United Kingdom
2
🇨🇳 China
2
🇦🇪 United Arab Emirates
1
🇺🇾 Uruguay
1
🇰🇷 South Korea
1

Top sectors

Technology
10
Business Services
9
Transportation/Logistics
5
Education
4
Manufacturing
2
Hospitality and Tourism
2
Financial
2
Healthcare
1

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time dragonransomware posts a victim.

Add dragonransomware to your watchlist — Pro pings you within 5 minutes of any new dragonransomware leak-site post, Telegram callout, or affiliate-rebrand inference.