Sophos has flagged a growing battle for control in the ransomware world, with its Counter Threat Unit (CTU) calling attention to a group named DragonForce. The group recently claimed responsibility for ransomware attacks targeting Marks & Spencer and other retail businesses.
“DragonForce is not just another ransomware brand, it’s a destabilizing force trying to reshape the ransomware landscape,” said Aiden Sinnott, senior threat researcher at Sophos Counter Threat Unit.
While the group has drawn attention for its UK retail attacks, Sinnott pointed to signs of a broader struggle within the cybercrime ecosystem. DragonForce appears to be clashing with other known ransomware operators, such as RansomHub, in a bid for dominance, especially after the disruption of LockBit’s operations. The rivalry has escalated beyond traditional attacks, with DragonForce actively targeting infrastructure used by competing groups and leaking their internal data.
Sophos’ Managed Detection and Response (MDR) team also uncovered technical evidence from a separate incident involving DragonForce. The group reportedly abused SimpleHelp, a legitimate remote management tool, to compromise a managed service provider (MSP). By installing a tampered SimpleHelp file, attackers were able to breach the MSP’s system, steal credentials, and move laterally into client environments, marking a supply chain-style attack.
According to Sophos, remote access remains a weak point across industries. The 2025 Sophos Threat Report found that commercial remote access tools are the most commonly misused software in ransomware operations. As cybercriminals grow more advanced, exploiting the trust between MSPs and their clients has become a fast and effective way to scale attacks.
Get the latest before it trends. Follow Back End News on LinkedIn, Facebook, X, YouTube, and TikTok for updates and in-depth coverage across the tech and security landscape.