DragonForce ransomware group evolves new cartel business model

News
By published

DragonForce takes on the affiliate market

Lock on Laptop Screen
(Image credit: Shutterstock.com) (Image credit: Future)
  • DragonForce is selling its ransomware as a service that can be rebranded
  • The group will handle malware development, leak sites, and more
  • RaaS democratizes malware – as if AI hadn't done enough damage

Inspired by drug gangs, ransomware group DragonForce is bringing a new business model to the ransomware scene, and it involves cooperating with other ransomware gangs.

DragonForce has now been observed offering a white-label affiliate model, allowing others to use their infrastructure and malware while branding attacks under their own name.

With this model, affiliates won't need to manage the infrastructure and DragonForce will take care of negotitation sites, malware develpoment and data leak sites.

DragonForce evolves the ransomware scene with a new business model

"Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site and .onion domain, and support services," cybersecurity researchers from Secureworks explained.

Secureworks explained that, in a March 2025 underground post, DragonForce rebranded itself as a "cartel," announcing a shift to a distributed model. DragonForce first appeared in August 2023.

Anubis, a much newer ransomware group that's been operating since December 2024, has also launched its own affiliate scheme, including a traditional ransomware-as-a-service product that nets affiliates 80% of their ransoms.

Much like artificial intelligence has already democratized access to coding, these models are further extending access to ransomware, meaning that less technical threat actors can target victims. The flexibility and reduced operational burdens are also key selling points.

The exact number of affiliates using these schemes is virtually untraceable, however Bleeping Computer has reported that RansomBay has already joined DragonForce's scheme.

"Cybercriminals are motivated by financial gain, so they are adopting innovative models and aggressive pressure tactics to shift the trend in their favor," Secureworks added.

The usual principles apply when it comes to protecting yourself from any type of ransomware – regularly patching internet-facing devices, implementing phishing-resistant multi-factor authentication (MFA), maintaining robust backups and monitoring networks for malicious activity are all important steps to take.

You might also like

TOPICS
Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.