Introduction
DragonForce [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], a ransomware-as-a-service (RaaS) operation [1] [2] [5] [7] [8] [9] [10] [11], has evolved significantly since its inception in August 2023 [10]. By March 2025 [2] [5] [8] [10], it rebranded itself as a “ransomware cartel,” reflecting a strategic shift towards a decentralized model that empowers affiliates to create their own brands while utilizing DragonForce’s extensive infrastructure and tools.
Description
DragonForce’s infrastructure includes essential resources such as administration and client panels, encryption and ransom negotiation tools [6] [7] [8] [9] [10], a file storage system for stolen information, a Tor-based leak site [2] [7] [8] [9] [10] [11], and technical support services [10]. Affiliates have the option to conduct attacks under the DragonForce name or their own [1], effectively white-labeling the service [1]. This flexibility caters to both less experienced individuals and more sophisticated operators who may prefer to deploy their own custom malware.
In February 2024 [5] [10], DragonForce launched a new affiliate program on underground forums, termed “Bring Your Own Malware.” This initiative simplifies ransomware operations for partners, enabling them to conduct attacks without the complexities of managing infrastructure or resources, making it particularly appealing to those with limited technical expertise. By March 2025 [2] [5] [8] [10], the cartel had reported targeting 136 organizations on its leak site, highlighting its growing impact in the cybercrime landscape.
DragonForce claims to retain only 20% of the ransoms paid, which serves as an incentive for affiliates to join the network, thereby expanding its affiliate base and enhancing profitability, especially as victims become increasingly resistant to paying ransoms. The cartel adopts a selective approach, intentionally avoiding attacks on hospitals and aiming to support certain vulnerable populations [3], which reflects an atypical moral stance within the ransomware ecosystem. However, this shared infrastructure introduces significant risks; the interconnectedness of affiliates means that if one affiliate is compromised, the operational and victim details of others could be exposed [6] [8], jeopardizing entire networks of coordinated attacks [11]. The cartel has reportedly attracted several notable gangs [4], including the newly formed RansomBay [4], indicating a growing influence and an expanding network of criminal affiliates [4]. Strict rules are enforced to maintain order within the operation [4], with affiliates facing expulsion for any violations [1], further solidifying its structure in the competitive landscape of cybercrime.
Conclusion
The evolution of DragonForce into a ransomware cartel underscores its growing influence in the cybercrime landscape. While its decentralized model and affiliate incentives have expanded its reach, the inherent risks of shared infrastructure pose significant vulnerabilities. As DragonForce continues to attract affiliates, its selective targeting and moral stance may influence future ransomware operations. However, the potential exposure of interconnected networks remains a critical concern, necessitating vigilant mitigation strategies to counteract the expanding threat.
References
[1] https://wmtech.io/dragonforce-expands-ransomware-model-with-white-label-branding-scheme/
[2] https://gbhackers.com/dragonforce-and-anubis-ransomware-gangs/
[3] https://www.hendryadrian.com/dragonforce-expands-ransomware-model-with-white-label-branding-scheme/
[4] https://franetic.com/dragonforce-launches-ransomware-white-label-program/
[5] https://cybersecuritynews.com/dragonforce-and-anubis-ransomware-operators/
[6] https://b2bdaily.com/it/ransomware-gangs-evolve-with-new-affiliate-models-and-strategies/
[7] https://www.techzine.eu/news/security/130822/bring-your-own-malware-ransomware-innovates-again/
[8] https://www.infosecurity-magazine.com/news/novel-ransomware-affiliate-schemes/
[9] https://ciso2ciso.com/law-enforcement-crackdowns-drive-novel-ransomware-affiliate-schemes-source-www-infosecurity-magazine-com/
[10] https://www.infopoint-security.de/ransomware-gruppen-entwickeln-ihre-affiliate-modelle-weiter/a40560/
[11] https://www.cyclonis.com/ransomware-gangs-evolve-new-affiliate-models-lure-cybercriminals/
