DragonForce ransomware group evolves new cartel business model
- DragonForce is selling its ransomware as a service that can be rebranded
- The group will handle malware development, leak sites, and more
- RaaS democratizes malware – as if AI hadn’t done enough damage
Inspired by drug gangs, ransomware group DragonForce is bringing a new business model to the ransomware scene, and it involves cooperating with other ransomware gangs.
DragonForce has now been observed offering a white-label affiliate model, allowing others to use their infrastructure and malware while branding attacks under their own name.
With this model, affiliates won’t need to manage the infrastructure and DragonForce will take care of negotitation sites, malware develpoment and data leak sites.
DragonForce evolves the ransomware scene with a new business model
“Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site and .onion domain, and support services,” cybersecurity researchers from Secureworks explained.
Secureworks explained that, in a March 2025 underground post, DragonForce rebranded itself as a “cartel,” announcing a shift to a distributed model. DragonForce first appeared in August 2023.
Anubis, a much newer ransomware group that’s been operating since December 2024, has also launched its own affiliate scheme, including a traditional ransomware-as-a-service product that nets affiliates 80% of their ransoms.
Much like artificial intelligence has already democratized access to coding, these models are further extending access to ransomware, meaning that less technical threat actors can target victims. The flexibility and reduced operational burdens are also key selling points.
The exact number of affiliates using these schemes is virtually untraceable, however Bleeping Computer has reported that RansomBay has already joined DragonForce’s scheme.
“Cybercriminals are motivated by financial gain, so they are adopting innovative models and aggressive pressure tactics to shift the trend in their favor,” Secureworks added.
The usual principles apply when it comes to protecting yourself from any type of ransomware – regularly patching internet-facing devices, implementing phishing-resistant multi-factor authentication (MFA), maintaining robust backups and monitoring networks for malicious activity are all important steps to take.
You might also like
DragonForce is selling its ransomware as a service that can be rebranded The group will handle malware development, leak sites, and more RaaS democratizes malware – as if AI hadn’t done enough damage Inspired by drug gangs, ransomware group DragonForce is bringing a new business model to the ransomware scene,…
