CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new ransomware operation, DragonForce, has emerged, leveraging leaked Conti source code. This group has adopted a cartel-like structure, encouraging affiliates to create branded variants. DragonForce uses Conti's ChaCha20 and RSA encryption, targeting both local storage and network shares via SMB. The group has conducted coordinated attacks and recruited affiliates, including Devman, and has partnered with Scattered Spider for initial access operations. DragonForce has shown aggressive tactics, defacing rival groups' infrastructure and attempting server takeovers. Security experts advise robust backup practices, network segmentation, and consistent patching to defend against such threats.

Timeline

  1. 04.11.2025 15:45 1 articles · 6d ago

    DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

    DragonForce, a new ransomware operation built on Conti’s leaked source code, has surfaced. The group has adopted a cartel-like structure, encouraging affiliates to create branded variants and using Conti's ChaCha20 and RSA encryption. DragonForce has conducted coordinated attacks, recruited affiliates like Devman, and partnered with Scattered Spider. The group has shown aggressive tactics by defacing and attempting to take over rival infrastructure.

    Show sources
    Open in new tab

Information Snippets

  • DragonForce ransomware uses Conti's ChaCha20 and RSA encryption, generating a unique key per file and appending a 10-byte metadata block.

    First reported: 04.11.2025 15:45
    1 source, 1 article
    Show sources

  • DragonForce encrypts both local storage and network shares via SMB, using Conti-style routines and a hidden configuration system.

    First reported: 04.11.2025 15:45
    1 source, 1 article
    Show sources

  • The ransomware supports full, partial, and header-only encryption modes.

    First reported: 04.11.2025 15:45
    1 source, 1 article
    Show sources

  • DragonForce has recruited affiliates such as Devman, who initially used Mamona-based variants before switching to DragonForce-built strains.

    First reported: 04.11.2025 15:45
    1 source, 1 article
    Show sources

  • DragonForce has partnered with Scattered Spider for initial access operations, contributing to an incident impacting UK retailer Marks & Spencer.

    First reported: 04.11.2025 15:45
    1 source, 1 article
    Show sources

  • The group has defaced BlackLock’s leak site and attempted to take over Ransomhub’s servers, demonstrating aggressive tactics.

    First reported: 04.11.2025 15:45
    1 source, 1 article
    Show sources

Similar Happenings

Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Cyber Extortion Collective

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques.

Open in new tab