DragonForce Ransomware Hits Belk: 150GB Data Leak and Operational Chaos

In this episode, we dive into the May 2025 ransomware attack on Belk, the iconic U.S. department store chain, orchestrated by the DragonForce ransomware group—a fast-rising player in the ransomware-as-a-service (RaaS) ecosystem. The cyberattack brought down Belk’s online and in-store operations for days, exfiltrated over 156GB of sensitive data, and sparked legal action following the delayed breach disclosure. With customer names and Social Security numbers compromised and leaked, the impact has rippled far beyond Belk’s systems.We examine how this attack fits into a broader RaaS-fueled campaign against the retail sector, including recent incidents at Marks & Spencer, Co-op Group, and Harrods. DragonForce, leveraging a model built on affiliate partnerships and rebranded ransomware payloads, is lowering the barrier to entry for cybercriminals—enabling less sophisticated actors to inflict enterprise-level damage.This episode covers:The attack timeline and operational disruption across Belk's digital and physical storefrontsWhat DragonForce stole—and why their leak site appearance suggests Belk didn’t pay the ransomThe role of RaaS in expanding ransomware's reach, making powerful attack infrastructure available to anyone with money and motiveHow DragonForce affiliates, including those tied to Scattered Spider, are combining social engineering, credential theft, and advanced TTPs to bypass defensesWhy retail chains are increasingly at risk—and how many still underestimate the severity of the threatKey defensive takeaways: from phishing-resistant MFA to Active Directory hardening, breach simulation exercises, and incident response planningThe Belk breach illustrates the evolving nature of ransomware, where supply chain access, insider tricks, and layered obfuscation tactics are the norm—not the exception. As regulatory scrutiny rises and ransomware groups professionalize, retailers and mid-market enterprises must reframe security not as an IT task, but as a business continuity imperative.

There are no comments yet.

Please log in to write the first comment.