Sophos’ Counter Threat Unit (CTU) is observing what appears to be a “turf war” in the ransomware landscape, as threat actors battle for control and notoriety. One group, DragonForce, has emerged as a serious contender for dominance – responsible for the recent ransomware attack against Marks & Spencer and other retailers.
Aiden Sinnott’s, senior threat researcher, Sophos Counter Threat Unit quote: “DragonForce is not just another ransomware brand – it’s a destabilizing force trying to reshape the ransomware landscape. While in the UK the group has dominated recent headlines after high profile attacks on retailers, behind the scenes of the ransomware ecosystem there seems to be some jostling between it and e-crime groups such as RansomHub. As the ecosystem continues to quickly evolve after the take down of LockBit this ‘turf war’ highlights the efforts of this group in particular, to claim dominance.”
But DragonForce isn’t just expanding through headline-grabbing retail attacks – it’s also going on the offensive against rival ransomware groups, actively targeting competitors’ infrastructure and data to disrupt their operations and claim more territory. This kind of sabotage, including leaking internal data from other ransomware actors, signals an aggressive shift in tactics within the cybercriminal underground.
In addition to these aggressive moves, the Sophos Managed Detection and Response (MDR) team uncovered new technical details in an incident involving DragonForce. The attackers exploited vulnerabilities in the legitimate remote management tool SimpleHelp to target a managed service provider (MSP). By forcibly installing a malicious SimpleHelp file, DragonForce was able to gain access to the MSP’s control panel and carry out a supply chain-style attack, harvesting credentials and moving laterally across multiple client environments.
This tactic demonstrates the group’s increasing sophistication. Remote access continues to be a critical vulnerability: commercial remote access tools were the most frequently abused legitimate software in ransomware incidents, according to the 2025 Sophos Threat Report. As ransomware operations mature, exploiting the trust between MSPs and their customers has become a powerful method of scaling attacks quickly and efficiently.
