On 14 June 2026, a ransomware group called DragonForce claimed responsibility for an attack on INK, a UK production studio. That claim came just weeks after the same group was linked to damaging breaches at Marks & Spencer, Co-op and Harrods. If you run a small or medium-sized business in the UK, this is not a story you can scroll past.

What is DragonForce?

DragonForce is not a single gang of hackers working from one location. It is a Ransomware-as-a-Service (RaaS) operation — think of it like a criminal franchise. The core group builds and maintains the ransomware tools and infrastructure, then rents them out to affiliate attackers who do the actual targeting. Those affiliates keep a cut of any ransom paid.

This model matters because it means the barrier to launching a ransomware attack has dropped significantly. Any criminal with modest technical knowledge can now access professional-grade attack tools. They do not need to be sophisticated. They just need a way in — and UK SMEs are increasingly providing one.

The scale of the damage so far

The M&S breach, which began in April 2026, cost the retailer an estimated £42 million in lost sales. Online orders were disrupted for weeks. That figure is painful for a FTSE 100 company. For a business with 20 or 50 staff, a similar incident — encrypted files, locked systems, frozen operations — could be fatal.

Co-op was forced to take parts of its IT infrastructure offline. Harrods restricted network access. These are organisations with dedicated security teams. The attack still got through.

How DragonForce gets in

DragonForce affiliates use a relatively small set of entry points, and understanding them helps you defend against them.

Phishing emails remain the most common starting point. An employee clicks a link or opens an attachment that looks legitimate. That single click can give an attacker a foothold inside your network.

Weak remote access is the second major route. If your business uses remote desktop or VPN access and those credentials are weak, reused, or not protected by multi-factor authentication, you are exposed.

Your IT provider’s tools are an increasingly serious risk. DragonForce affiliates have been observed exploiting software called SimpleHelp — a remote monitoring and management (RMM) tool widely used by IT support companies and managed service providers (MSPs). If your IT provider uses tools like this to manage your systems, their compromise becomes your compromise. You inherit their vulnerability.

Why SMEs are now the primary target

Large organisations have started hardening their defences. That pushes attackers toward softer targets. SMEs typically underinvest in security because they assume they are not interesting enough to attack. That assumption is exactly what makes them attractive.

You do not need to be holding sensitive government data or managing critical infrastructure. Locked-up business systems, customer records, financial data and the disruption to daily operations are valuable enough.

5 things to do this week

These are not theoretical suggestions. Do them now.

  1. Turn on multi-factor authentication (MFA) for every account that supports it — email, cloud storage, accounting software, remote access. This single step blocks the majority of credential-based attacks.

  2. Ask your IT provider what remote management tools they use to access your systems, and whether those tools have been patched against known vulnerabilities. If they cannot answer clearly, that is a problem.

  3. Test your backups. Many businesses have backups that have never actually been restored. A backup you cannot recover from is not a backup. Try it.

  4. Run a phishing awareness reminder with your team. It does not need to be a formal training course. A brief conversation about what suspicious emails look like is better than nothing.

  5. Know who to call. If you suspect an incident, report it to the National Cyber Security Centre (NCSC) at ncsc.gov.uk and use KeepSafe.Report to log and track the incident. Having a plan before something happens reduces the chaos significantly.

The supply chain angle

The SimpleHelp RMM attack vector deserves particular attention. Many SMEs outsource their IT entirely, which is sensible — but it means trusting a third party with deep access to your systems. If that provider’s tools are compromised, an attacker can move from their systems to yours without you seeing anything unusual.

Ask your IT provider directly: are you aware of the SimpleHelp vulnerability exploited in DragonForce attacks? Have you patched or replaced it? The question itself signals that you are paying attention, which tends to sharpen supplier focus.

Getting ahead of the next one

DragonForce is active and expanding its affiliate network. The INK attack on 14 June shows the group is not slowing down. If you want to stay ahead of threats like this without having to monitor security news yourself, ApplyAI.org.uk has tools that use AI-assisted monitoring to flag risks relevant to your business type and size. The LTI Observatory also tracks active threat groups and publishes alerts when something like this escalates.

This is a live, active threat affecting UK businesses right now — not a hypothetical scenario for a future risk register. The steps above are small. The cost of not taking them could be very large.